{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-forgejo-2ikinu",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-liyjlq",
                    "pac.test.appstudio.openshift.io/git-provider": "gitea",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/3e36e80c-2f63-4d2d-9e10-ea1268ddde25/records/f65a91aa-0d39-4d53-a03b-99bf77eccd1f",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/3e36e80c-2f63-4d2d-9e10-ea1268ddde25",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782938218000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/result-chains-git-commit": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                },
                "creationTimestamp": "2026-07-01T20:50:50Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "appstudio.openshift.io/snapshot": "integ-app-d1cc-20260701-203658-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-taal-qq44j",
                    "tekton.dev/pipelineRunUID": "3e36e80c-2f63-4d2d-9e10-ea1268ddde25",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782939045",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05",
                    "test.appstudio.openshift.io/run": "integration-test-taal",
                    "test.appstudio.openshift.io/scenario": "integration-test-taal",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-taal-qq44j-task-skipped",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-taal-qq44j",
                        "uid": "3e36e80c-2f63-4d2d-9e10-ea1268ddde25"
                    }
                ],
                "resourceVersion": "72852",
                "uid": "f65a91aa-0d39-4d53-a03b-99bf77eccd1f"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:51:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:51:01Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-taal-qq44j-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-01T20:51:00+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:50:53Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e798ae790e7fa687535ac8149b7c7c1b0412275bd4296147b6ff19758a612123",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:51:00Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T20:51:00+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:51:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-forgejo-2ikinu",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-liyjlq",
                    "pac.test.appstudio.openshift.io/git-provider": "gitea",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/3e36e80c-2f63-4d2d-9e10-ea1268ddde25/records/3c5c29b4-59a4-49ff-8d50-282db30b3372",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/3e36e80c-2f63-4d2d-9e10-ea1268ddde25",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782938218000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/result-chains-git-commit": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                },
                "creationTimestamp": "2026-07-01T20:50:50Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "appstudio.openshift.io/snapshot": "integ-app-d1cc-20260701-203658-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-taal-qq44j",
                    "tekton.dev/pipelineRunUID": "3e36e80c-2f63-4d2d-9e10-ea1268ddde25",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782939045",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05",
                    "test.appstudio.openshift.io/run": "integration-test-taal",
                    "test.appstudio.openshift.io/scenario": "integration-test-taal",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-taal-qq44j-task-success",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-taal-qq44j",
                        "uid": "3e36e80c-2f63-4d2d-9e10-ea1268ddde25"
                    }
                ],
                "resourceVersion": "72855",
                "uid": "3c5c29b4-59a4-49ff-8d50-282db30b3372"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:50:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:50:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-taal-qq44j-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:50:57+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:50:50Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7ffd7e7c4d1f588a2bf4d48ce0effef8b038ca2d95c9204d1deb7ffcb48b2504",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:57Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:57+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:57Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-forgejo-2ikinu",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-liyjlq",
                    "pac.test.appstudio.openshift.io/git-provider": "gitea",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/3e36e80c-2f63-4d2d-9e10-ea1268ddde25/records/eb0eda2f-74f0-4e8d-8952-9a9337f36d4d",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/3e36e80c-2f63-4d2d-9e10-ea1268ddde25",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782938218000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/result-chains-git-commit": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                },
                "creationTimestamp": "2026-07-01T20:50:50Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "appstudio.openshift.io/snapshot": "integ-app-d1cc-20260701-203658-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-taal-qq44j",
                    "tekton.dev/pipelineRunUID": "3e36e80c-2f63-4d2d-9e10-ea1268ddde25",
                    "tekton.dev/pipelineTask": "task-success-2",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782939045",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05",
                    "test.appstudio.openshift.io/run": "integration-test-taal",
                    "test.appstudio.openshift.io/scenario": "integration-test-taal",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-taal-qq44j-task-success-2",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-taal-qq44j",
                        "uid": "3e36e80c-2f63-4d2d-9e10-ea1268ddde25"
                    }
                ],
                "resourceVersion": "72851",
                "uid": "eb0eda2f-74f0-4e8d-8952-9a9337f36d4d"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:51:00Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:51:00Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-taal-qq44j-task-success-2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:50:59+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:50:51Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://aabb942c9f9b8b2b549a233e1e5dd1f554f90e780fb0bea3ecdfbc65dad031fe",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:59Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:59+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:59Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-forgejo-2ikinu",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-liyjlq",
                    "pac.test.appstudio.openshift.io/git-provider": "gitea",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a/records/bd21ec2c-6086-4340-9e7a-44da295e2ad8",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782938218000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/result-chains-git-commit": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                },
                "creationTimestamp": "2026-07-01T20:50:50Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:58Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "appstudio.openshift.io/snapshot": "integ-app-d1cc-20260701-203658-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-taal-zdgz5",
                    "tekton.dev/pipelineRunUID": "f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782939045",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05",
                    "test.appstudio.openshift.io/scenario": "integration-test-taal",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-taal-zdgz5-task-skipped",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-taal-zdgz5",
                        "uid": "f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a"
                    }
                ],
                "resourceVersion": "72870",
                "uid": "bd21ec2c-6086-4340-9e7a-44da295e2ad8"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:51:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:51:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-taal-zdgz5-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-01T20:51:01+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:50:52Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a80d260f99ae71e5fee8a7ce8bc3769c434a4329bb0efd6409f1406c8bdf4a2c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:51:01Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T20:51:01+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:51:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-forgejo-2ikinu",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-liyjlq",
                    "pac.test.appstudio.openshift.io/git-provider": "gitea",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a/records/f519be13-ab27-4024-991a-d098a8c4e41e",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782938218000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/result-chains-git-commit": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                },
                "creationTimestamp": "2026-07-01T20:50:50Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:58Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "appstudio.openshift.io/snapshot": "integ-app-d1cc-20260701-203658-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-taal-zdgz5",
                    "tekton.dev/pipelineRunUID": "f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782939045",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05",
                    "test.appstudio.openshift.io/scenario": "integration-test-taal",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-taal-zdgz5-task-success",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-taal-zdgz5",
                        "uid": "f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a"
                    }
                ],
                "resourceVersion": "72874",
                "uid": "f519be13-ab27-4024-991a-d098a8c4e41e"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:50:58Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:50:58Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-taal-zdgz5-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:50:58+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:50:50Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0bc627b7fc838cc60a3919ea491c3e9f098e53bb811653f8b3a28dc1a4b95e0f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:58Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:58+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-forgejo-2ikinu",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-liyjlq",
                    "pac.test.appstudio.openshift.io/git-provider": "gitea",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a/records/7cda49e2-7859-49fd-a9d2-342181516a58",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782938218000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/result-chains-git-commit": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                },
                "creationTimestamp": "2026-07-01T20:50:50Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:58Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "appstudio.openshift.io/snapshot": "integ-app-d1cc-20260701-203658-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "pull_request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "1",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-forgejo-8iazc4",
                    "pac.test.appstudio.openshift.io/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "konflux-test-integration-2vh4ft",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-taal-zdgz5",
                    "tekton.dev/pipelineRunUID": "f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a",
                    "tekton.dev/pipelineTask": "task-success-2",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782939045",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05",
                    "test.appstudio.openshift.io/scenario": "integration-test-taal",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-taal-zdgz5-task-success-2",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-taal-zdgz5",
                        "uid": "f7513ac1-0dd8-4644-a8e8-bc0c8ba1b33a"
                    }
                ],
                "resourceVersion": "72871",
                "uid": "7cda49e2-7859-49fd-a9d2-342181516a58"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:50:59Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:50:59Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-taal-zdgz5-task-success-2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:50:59+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:50:51Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0fe42123db4f972fd04120ea4d415d61833013918c1e723bef78401809f45d73",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:59Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:59+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:59Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/f675fb66-ade5-4f1b-b29f-b03e04ab53bf",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:46:43Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "tes36ab79159b4899339ff257c3d30f4b11-deprecated-base-image-check",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72732",
                "uid": "f675fb66-ade5-4f1b-b29f-b03e04ab53bf"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:47:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:47:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "tes36ab79159b4899339ff257c3d0d732aadc110a997a4fa8df18c63226-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\", \"digests\": [\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:46:59+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:46:43Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a481eec7be05ae4d6e99524b4c5525e03aeb4c5de21f2b9e2576c7ee9c2702a5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:47:00Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\\\", \\\"digests\\\": [\\\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:46:59+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:46:50Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/35f55940-97b2-42b6-ab04-b2a20687c27e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:46:44Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-p36ab79159b4899339ff257c3d30f4b11-rpms-signature-scan",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72734",
                "uid": "35f55940-97b2-42b6-ab04-b2a20687c27e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:b2224a0442ac705e20a25b8609e1760321d9d86da7901fd0392a90102688e37d"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:50:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:50:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-p36ab79159b489933849370adbf92eeda0f4fb5f990f86ae4-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b2224a0442ac705e20a25b8609e1760321d9d86da7901fd0392a90102688e37d"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\", \"digests\": [\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:50:40+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:46:45Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:d13a7c30be5d840b76c09cf9427ba77cf70d71752d908fd34c6ecc962b07b65f",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2f51342488769946591cb22bf7b942fa3a0a07621e9c35c6b782b732ccab8a6f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:39Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fdc793eeb66598c5ab631830e2944b34e099f4fa75e22faf42dc9c34f269caea",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:41Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\\\", \\\"digests\\\": [\\\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:40+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:d13a7c30be5d840b76c09cf9427ba77cf70d71752d908fd34c6ecc962b07b65f",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/ed469525-59b6-451e-b7d0-41115397ec27",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:46:44Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check-oci-ta-min",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-pa36ab79159b4899339ff257c3d30f4b11-sast-unicode-check",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72755",
                "uid": "ed469525-59b6-451e-b7d0-41115397ec27"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc"
                    },
                    {
                        "name": "CACHI2_ARTIFACT",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:50:27Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:50:27Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pa36ab79159b4899338e1e41e916995ad0d2b6821e9bba1d0-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab"
                        },
                        "entryPoint": "sast-unicode-check-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:50:25+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:46:44Z",
                "steps": [
                    {
                        "container": "step-use-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac",
                        "name": "use-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://24430b9ee74dff99bb1012141a54ce317e0dfa0f667f87223ff26ede70d5f072",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://448cef37a46a0446cb646718404166be2446a5e7a5bdca3fd108f67a5d8491fc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:25Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:25+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2faa96a04dc15228aa57796e81d4191fdb8f347fddca42ef69da4caf3a45400e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:26Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:25+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "default": "",
                            "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.",
                            "name": "CACHI2_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/var/workdir",
                                "name": "workdir"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "use",
                                "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc=/var/workdir/source",
                                "=/var/workdir/cachi2"
                            ],
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac",
                            "name": "use-trusted-artifact",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "128m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/var/workdir"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n  PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n  \u003eraw_sast_unicode_check_out.txt \\\n  2\u003eraw_sast_unicode_check_out.log ||\n  FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n  echo \"Failed to run find-unicode-control command\" \u003e\u00262\n  cat raw_sast_unicode_check_out.log\n  note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n  echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n  note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n  --mode=json\n  --remove-duplicates\n  --embed-context=3\n  --set-scan-prop=\"${SCAN_PROP}\"\n  --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n  echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n  cat processed_sast_unicode_check_out.err\n  note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n  KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n  # Default location only reachable from internal Konflux instances, check reachable first\n  echo -n \"INFO: Probing ${PROBE_URL}... \"\n  if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n    echo \"INFO: Trying to clone known-false-positives..\"\n    git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n  fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n  echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n  mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n  echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n  # Build initial csfilter-kfp command\n  csfilter_kfp_cmd=(\n    csfilter-kfp\n    --verbose\n    --kfp-dir=\"${KFP_DIR}\"\n    --project-nvr=\"${PROJECT_NAME}\"\n  )\n\n  # Append --record-excluded option if RECORD_EXCLUDED is true\n  if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n    csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n  fi\n\n  # Execute the command and capture any errors\n  set +e\n  \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n  status=$?\n  set -e\n  if [ \"$status\" -ne 0 ]; then\n    echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n  else\n    echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n  fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n  note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n  note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-unicode-check test failed because of the following issues:\"\n  cat sast_unicode_check_out.json\n  TEST_OUTPUT=\n  parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n  note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n  if [ ! -f \"${UPLOAD_FILE}\" ]; then\n    echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n    continue\n  fi\n\n  if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n    MEDIA_TYPE=application/json\n  else\n    MEDIA_TYPE=application/sarif+json\n  fi\n\n  echo \"Selecting auth\"\n  select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n  echo \"Attaching to ${IMAGE_URL}\"\n  retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/1c70c49a-e74b-4726-b301-05f01c00ec68",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone oci trusted artifacts",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:37:10Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone-oci-ta-min",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-pac-36ab79159b4899339ff257c3d30f4b11-clone-repository",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72744",
                "uid": "1c70c49a-e74b-4726-b301-05f01c00ec68"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                    },
                    {
                        "name": "revision",
                        "value": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "ociStorage",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2.git"
                    },
                    {
                        "name": "ociArtifactExpiresAfter",
                        "value": "5d"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-liyjlq"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:37:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:37:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-36ab79159b489beb374a503acbec846238a1deb8ba177-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208"
                        },
                        "entryPoint": "git-clone-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782938213"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "901da5d"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "type": "string",
                        "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc"
                    }
                ],
                "startTime": "2026-07-01T20:37:10Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ecd4f23e1588b45111e843ef2857ec6f9fb6136b88be481fb25507434fa501bb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:37:20Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1},{\"key\":\"commit\",\"value\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782938213\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"901da5d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:37:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://825c938bbf29b6ba41bc1a8d306efdb3eb6bc06135963e95413f84bff7fae659",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:37:20Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1},{\"key\":\"commit\",\"value\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782938213\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"901da5d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:37:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476",
                        "name": "create-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e10e102427bc213c37e46114e384963f91438bd501b63dec5214722ee4e53db1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:37:22Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc\",\"type\":1},{\"key\":\"commit\",\"value\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782938213\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"901da5d\",\"type\":1},{\"key\":\"url\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:37:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.",
                    "params": [
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.",
                            "name": "ociArtifactExpiresAfter",
                            "type": "string"
                        },
                        {
                            "description": "The OCI repository where the Trusted Artifacts are stored.",
                            "name": "ociStorage",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                },
                                {
                                    "name": "CHECKOUT_DIR",
                                    "value": "/var/workdir/source"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n  set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\n  if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n    echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n    echo \"--- Git Status ---\"\n    git status\n    echo \"------------------\"\n    exit 1\n  fi\n\n  # Check if there are changes staged for commit\n  if git diff --staged --quiet; then\n    echo \"No diff was found, skipping merge...\" \u003e\u00262\n  else\n    echo \"Merge successful (no conflicts found), committing...\"\n    if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n      echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n      exit 1\n    fi\n    MERGED_SHA=$(git rev-parse HEAD)\n    echo \"New HEAD after merge: ${MERGED_SHA}\"\n    echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n  fi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/workdir",
                                    "name": "workdir"
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "CHECKOUT_DIR",
                                    "value": "/var/workdir/source"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink; do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/workdir",
                                    "name": "workdir"
                                }
                            ]
                        },
                        {
                            "args": [
                                "create",
                                "--store",
                                "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2.git",
                                "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_EXPIRES_AFTER",
                                    "value": "5d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476",
                            "name": "create-trusted-artifact",
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/workdir",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/3736e5b4-09e1-4ac4-a7b3-c38e8a753b50",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:46:44Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check-oci-ta-min",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-pac-36ab79159b4899339ff257c3d30f4b11-sast-shell-check",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72753",
                "uid": "3736e5b4-09e1-4ac4-a7b3-c38e8a753b50"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc"
                    },
                    {
                        "name": "CACHI2_ARTIFACT",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:50:38Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:50:38Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-36ab79159b489a8c7199bc3a7f54233ecfbfb98bb1927-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a"
                        },
                        "entryPoint": "sast-shell-check-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:50:36+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:46:44Z",
                "steps": [
                    {
                        "container": "step-use-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac",
                        "name": "use-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c0aa0c0efc51d7d750cb6a3d5bae4bb14c5a9ceab3a747b565a2d0c9c592e501",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://211d718435fab2eb0e117cf4427fd48905cc0e0c2080934b301f7005944c5f2a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:36Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:36+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8f125abca2a802422491678aa2cbdb3d5dd66a1ab998f8ee885d67712c9cf5d1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:37Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:36+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:36Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.",
                            "name": "CACHI2_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/var/workdir",
                                "name": "workdir"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "use",
                                "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc=/var/workdir/source",
                                "=/var/workdir/cachi2"
                            ],
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac",
                            "name": "use-trusted-artifact",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "128m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "128m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n  PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n  read -r quota period \u003c/sys/fs/cgroup/cpu.max\n  if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n    export SC_JOBS=$(((quota + period - 1) / period))\n    echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n  fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n  --mode=json\n  --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n  --remove-duplicates\n  --embed-context=3\n  --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n  # predefined list of shellcheck important findings\n  CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n  CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n  CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n  CSGREP_OPTS+=(\n    --event=\"$CSGREP_EVENT_FILTER\"\n  )\nelse\n  CSGREP_OPTS+=(\n    --event=\"error|warning\"\n  )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n  echo \"Error occurred while running 'run-shellcheck.sh'\"\n  note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n  KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n  # Default location only reachable from internal Konflux instances, check reachable first\n  echo -n \"INFO: Probing ${PROBE_URL}... \"\n  if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n    echo \"INFO: Trying to clone known-false-positives..\"\n    git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n  fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n  echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n  echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n  # build initial csfilter-kfp command\n  csfilter_kfp_cmd=(\n    csfilter-kfp\n    --verbose\n    --kfp-dir=\"${KFP_DIR}\"\n    --project-nvr=\"${PROJECT_NAME}\"\n  )\n\n  if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n    csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n  fi\n\n  # Execute the command and capture any errors\n  set +e\n  \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n  status=$?\n  set -e\n  if [ \"$status\" -ne 0 ]; then\n    echo \"WARN: failed to filter known false positives\" \u003e\u00262\n  else\n    mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n    echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n  fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n  echo 'No image-url or image-digest param provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n  if [ ! -f \"${UPLOAD_FILE}\" ]; then\n    echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n    continue\n  fi\n\n  # Determine the media type based on the file extension\n  if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n    MEDIA_TYPE=\"application/json\"\n  else\n    MEDIA_TYPE=\"application/sarif+json\"\n  fi\n\n  echo \"Selecting auth\"\n  select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n  echo \"Attaching to ${IMAGE_URL}\"\n  if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n    echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n    exit 1\n  fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/14ab5798-7d6b-4ca1-b549-e628acf5ec98",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:38:42Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah-oci-ta-min",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-pac-f36ab79159b4899339ff257c3d30f4b11-build-container",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72749",
                "uid": "14ab5798-7d6b-4ca1-b549-e628acf5ec98"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc"
                    },
                    {
                        "name": "CACHI2_ARTIFACT",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:43f0592e75657718c0a1ddbc0033132014d6b24e9f2391a0ce14187ec13e12ca"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:46:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:46:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-f36ab79159b48f475f69ae95cbff99aa41bc7a3010fe9-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "43f0592e75657718c0a1ddbc0033132014d6b24e9f2391a0ce14187ec13e12ca"
                        },
                        "entryPoint": "buildah-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:fc9587dd773496192007ef2f2fb44d4514b762a5020292a20c9238422f7697ff"
                    }
                ],
                "startTime": "2026-07-01T20:38:42Z",
                "steps": [
                    {
                        "container": "step-use-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476",
                        "name": "use-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e488da987023d30e140b34d9e169e740329c84832aa61fbbd708090d8fb29bea",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:39:26Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:39:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9d85a1e9cea701b9ae11d68aaf9b5e6d9c345d2a7a1ae31322515221e20c555f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:41:03Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:39:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f642cab5ac3aeac7cc83c01df26f0705621f7581250df58451e64e02b9c5a6d8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:44:18Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:41:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://03f58349c31d69cdfd1660825c57f53903fd68fe244b2540e25dcf953a7146b0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:45:15Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:44:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://432523f51d662ac45715ff4798da0441a96916672ecb77ee387ed222eb60c754",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:45:49Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:45:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6ac255071e6923aaca9f61c3c50ff6cc7aaf49082765759356b7d96e84e59f11",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:46:30Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:fc9587dd773496192007ef2f2fb44d4514b762a5020292a20c9238422f7697ff\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:45:50Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.",
                            "name": "CACHI2_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "256Mi"
                            },
                            "requests": {
                                "cpu": "100m",
                                "memory": "256Mi"
                            }
                        },
                        "env": [
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            },
                            {
                                "mountPath": "/var/workdir",
                                "name": "workdir"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "use",
                                "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc=/var/workdir/source",
                                "=/var/workdir/cachi2"
                            ],
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476",
                            "name": "use-trusted-artifact",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "500m",
                                    "memory": "1Gi"
                                },
                                "requests": {
                                    "cpu": "500m",
                                    "memory": "1Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n  # path is valid, do nothing\n  ;;\n*)\n  echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n  echo \"Source path: $source_dir_path\" \u003e\u00262\n  echo \"Resolved path: $context_dir_path\" \u003e\u00262\n  exit 1\n  ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n  --build-args)\n    shift\n    # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n    # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n    # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n    while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n      build_args+=(\"$1\")\n      shift\n    done\n    ;;\n  --env)\n    shift\n    # Collect env entries of the form KEY=value\n    while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n      env_vars+=(\"$1\")\n      shift\n    done\n    ;;\n  --labels)\n    shift\n    while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n      LABELS+=(\"--label\" \"$1\")\n      shift\n    done\n    ;;\n  --annotations)\n    shift\n    while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n      ANNOTATIONS+=(\"--annotation\" \"$1\")\n      shift\n    done\n    ;;\n  *)\n    echo \"unexpected argument: $1\" \u003e\u00262\n    exit 2\n    ;;\n  esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n  jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n    tr -d '\"' |\n    tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/var/workdir/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n    -e 'H;1h;$!d;x' \\\n    -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n    \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e\"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n    -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n    -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n  buildah build\n  \"${VOLUME_MOUNTS[@]}\"\n  \"${BUILDAH_ARGS[@]}\"\n  \"${LABELS[@]}\"\n  \"${ANNOTATIONS[@]}\"\n  --tls-verify=\"$TLSVERIFY\" --no-cache\n  --ulimit nofile=4096:4096\n  --http-proxy=false\n  -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/var/workdir"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "test-comp-pac-f36ab79159b4899339ff257c3d30f4b11-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n  echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"; then\n  echo \"Failed to push image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n   [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n   [rekorInternalUrl]=REKOR_URL\n   [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n   [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n   [rekorInternalUrl]=rekorExternalUrl\n   [fulcioInternalUrl]=fulcioExternalUrl\n   [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e/shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"; then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/var/workdir"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "256m",
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "256m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n  syft_sbom_type=cyclonedx-json@1.5\n  ;;\nspdx)\n  syft_sbom_type=spdx-json@2.3\n  ;;\n*)\n  echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n  exit 1\n  ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/var/workdir/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n  --additional-base-images)\n    shift\n    while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n      ADDITIONAL_BASE_IMAGES+=(\"$1\")\n      shift\n    done\n    ;;\n  *)\n    echo \"unexpected argument: $1\" \u003e\u00262\n    exit 2\n    ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/var/workdir/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/var/workdir"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n  echo \"Failed to push sbom to registry\"\n  exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"; then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/var/workdir"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/32f885f5-78cc-4fee-a096-e8fd74495587",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:46:43Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan-min",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv-clamav-scan",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72738",
                "uid": "32f885f5-78cc-4fee-a096-e8fd74495587"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:50:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:50:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-forgejo-8iazc9707b1a8ae04a541347c45c78c933c9b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8"
                        },
                        "entryPoint": "clamav-scan-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\", \"digests\": [\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782939041\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-01T20:46:44Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:2da6c1a37fef998b68b675505fb654b1123e3cd889c190c59b4527d11621e8fc",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c271c3502322b3080f084f0807e54248ecb6da08c8ef26bdf3d83220886a36be",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:41Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\\\", \\\"digests\\\": [\\\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782939041\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:46:51Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://64f174013fc153a706d487f818e1ef9396c22c456cc7153df6b9b47934c203e7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:44Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\\\", \\\"digests\\\": [\\\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782939041\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "512m",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "512m",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/f99e278b-8fc8-4645-aa6c-4c4360b1f705",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:37:04Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv-init",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72724",
                "uid": "f99e278b-8fc8-4645-aa6c-4c4360b1f705"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:b797dd453ddad669365de6de4649e3a9e37e77aa26eb9862ca079a36cbfe64a4"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:37:10Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:37:10Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b797dd453ddad669365de6de4649e3a9e37e77aa26eb9862ca079a36cbfe64a4"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-01T20:37:04Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a76b86580cf3f1ef352ff4c835551b400d2f442773cd65aae177179f768dcb98",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:37:09Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:37:09Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/368aa103-0dac-4492-9111-741e3a6a9ae8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:46:44Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "tpa-scan",
                    "tekton.dev/task": "tpa-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv-tpa-scan",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72729",
                "uid": "368aa103-0dac-4492-9111-741e3a6a9ae8"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "tpa-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:50:33Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:50:33Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv-tpa-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc"
                        },
                        "entryPoint": "tpa-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\", \"digests\": [\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\":\"sha256:81fb5fe4169d4cbf7610fc257d5da58c3e20fc092336b8d6928d86aa6ad87310\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":7,\"high\":139,\"medium\":242,\"low\":34,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:50:32+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:46:45Z",
                "steps": [
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://649e593d47e4acbac90447a2d341c58f71e3a36fd5ea17a80c7589031cb9fb89",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0051078a120d6a80a73e03a0130ad03ff79158b25348dd85ec59a6dc936cfcec",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1b3143f9cabab60947bb228228715858539679e7660af8e656d66fc0d6ec7b70",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:50:33Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\\\", \\\"digests\\\": [\\\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\\\":\\\"sha256:81fb5fe4169d4cbf7610fc257d5da58c3e20fc092336b8d6928d86aa6ad87310\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":7,\\\"high\\\":139,\\\"medium\\\":242,\\\"low\\\":34,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:50:32+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:50:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform which will be scanned by this task.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "https://exhort.stage.devshift.net/api/v5/analysis",
                            "description": "The url of the TPA instance which will be used for scanning.",
                            "name": "tpa-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "TPA scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "2Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "2Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                },
                                {
                                    "name": "TPA_URL",
                                    "value": "https://exhort.stage.devshift.net/api/v5/analysis"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n\ntpa_scan() {\n  local sbom_file=${1}\n  local arch=${2}\n  local sbom_format\n\n  sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n  retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee  \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-${arch}.sha\"\n  local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n  local arch_sha=\"\"\n\n  if [ -e \"${sha_file}\" ]; then\n    arch_sha=$(\u003c\"${sha_file}\")\n    arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n  else\n    echo \"Couldn't find the SHA file for the requested architecture.\"\n    exit 1\n  fi\n\n  echo \"Selecting auth\"\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  # Attempt to download the SBOM file via cosign\n\n  if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n    echo \"Unable to download SBOM for the architecture ${arch}.\"\n    exit 1\n  fi\n\n  if [ -e \"${sbom_file_path}\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n\n    echo \"Running TPA scan on $arch image manifest...\"\n    tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  else\n    echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n    exit 1\n  fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 1\n      ;;\n  esac\n\n  run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_tpa_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n  echo 'No TPA reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n  exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n  fi\n\n  #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "build.appstudio.redhat.com/commit_sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tfoqsv",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request 'Konflux update test-comp-pac-forgejo-8iazc4' (#1) from konflux-test-comp-pac-forgejo-8iazc4 into base-forgejo-2ikinu\n",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/02c59798-052a-4e54-9378-a563f9522a73/records/8b126e02-f322-4c6f-bf7a-95144d92eb22",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"eventType\":\"push\"}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/02c59798-052a-4e54-9378-a563f9522a73",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone oci trusted artifacts",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git"
                },
                "creationTimestamp": "2026-07-01T20:51:34Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:53Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-push",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "tekton.dev/pipelineRunUID": "02c59798-052a-4e54-9378-a563f9522a73",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone-oci-ta-min"
                },
                "name": "test-comp-pac-forgejo-8iazc4-on-push-9s8df-clone-repository",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                        "uid": "02c59798-052a-4e54-9378-a563f9522a73"
                    }
                ],
                "resourceVersion": "72783",
                "uid": "8b126e02-f322-4c6f-bf7a-95144d92eb22"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                    },
                    {
                        "name": "revision",
                        "value": "fe95951faac33924a337b79cd4bdfc14d7db2801"
                    },
                    {
                        "name": "ociStorage",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:fe95951faac33924a337b79cd4bdfc14d7db2801.git"
                    },
                    {
                        "name": "ociArtifactExpiresAfter",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-tfoqsv"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:51:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:51:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-forgejo-8iazc4-on-push-9s8df-clone-repository-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ad1487d03967da7e9e032ba47b094ebf7e46c8e6f5d47faa9f8c15e1617fb208"
                        },
                        "entryPoint": "git-clone-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "fe95951faac33924a337b79cd4bdfc14d7db2801"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "fe95951faac33924a337b79cd4bdfc14d7db2801"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782939077"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "fe95951"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "type": "string",
                        "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:6fcf80cb8bdc7c9f95b8da542e4432ef01e5bd661f17b127a1882f5590adcb2f"
                    }
                ],
                "startTime": "2026-07-01T20:51:34Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e71e503b391416dee1bec18b854821c15b568676497eddc0a54dba51749b5a84",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:51:40Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1},{\"key\":\"commit\",\"value\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782939077\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"fe95951\",\"type\":1},{\"key\":\"url\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:51:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://55a6d820e27154d98c967a0e19466081e3883b05833865b2b9cebbee37690a08",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:51:40Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1},{\"key\":\"commit\",\"value\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782939077\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"fe95951\",\"type\":1},{\"key\":\"url\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:51:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476",
                        "name": "create-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a581451887b6b31a8b468facdbf147459d2c82a8386f8b9cea59ab6129ca01be",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:51:42Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:6fcf80cb8bdc7c9f95b8da542e4432ef01e5bd661f17b127a1882f5590adcb2f\",\"type\":1},{\"key\":\"commit\",\"value\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782939077\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"fe95951\",\"type\":1},{\"key\":\"url\",\"value\":\"https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:51:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.",
                    "params": [
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.",
                            "name": "ociArtifactExpiresAfter",
                            "type": "string"
                        },
                        {
                            "description": "The OCI repository where the Trusted Artifacts are stored.",
                            "name": "ociStorage",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "fe95951faac33924a337b79cd4bdfc14d7db2801"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                },
                                {
                                    "name": "CHECKOUT_DIR",
                                    "value": "/var/workdir/source"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n  set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\n  if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n    echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n    echo \"--- Git Status ---\"\n    git status\n    echo \"------------------\"\n    exit 1\n  fi\n\n  # Check if there are changes staged for commit\n  if git diff --staged --quiet; then\n    echo \"No diff was found, skipping merge...\" \u003e\u00262\n  else\n    echo \"Merge successful (no conflicts found), committing...\"\n    if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n      echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n      exit 1\n    fi\n    MERGED_SHA=$(git rev-parse HEAD)\n    echo \"New HEAD after merge: ${MERGED_SHA}\"\n    echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n  fi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/workdir",
                                    "name": "workdir"
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "CHECKOUT_DIR",
                                    "value": "/var/workdir/source"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink; do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/workdir",
                                    "name": "workdir"
                                }
                            ]
                        },
                        {
                            "args": [
                                "create",
                                "--store",
                                "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:fe95951faac33924a337b79cd4bdfc14d7db2801.git",
                                "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_EXPIRES_AFTER"
                                }
                            ],
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476",
                            "name": "create-trusted-artifact",
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/workdir",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "build.appstudio.redhat.com/commit_sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tfoqsv",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request 'Konflux update test-comp-pac-forgejo-8iazc4' (#1) from konflux-test-comp-pac-forgejo-8iazc4 into base-forgejo-2ikinu\n",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/02c59798-052a-4e54-9378-a563f9522a73/records/7c85780f-9c74-49a1-a976-7baa86996090",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"eventType\":\"push\"}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/02c59798-052a-4e54-9378-a563f9522a73",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux"
                },
                "creationTimestamp": "2026-07-01T20:51:29Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:53Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-push",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "tekton.dev/pipelineRunUID": "02c59798-052a-4e54-9378-a563f9522a73",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init"
                },
                "name": "test-comp-pac-forgejo-8iazc4-on-push-9s8df-init",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                        "uid": "02c59798-052a-4e54-9378-a563f9522a73"
                    }
                ],
                "resourceVersion": "72779",
                "uid": "7c85780f-9c74-49a1-a976-7baa86996090"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:b797dd453ddad669365de6de4649e3a9e37e77aa26eb9862ca079a36cbfe64a4"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:51:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:51:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-forgejo-8iazc4-on-push-9s8df-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b797dd453ddad669365de6de4649e3a9e37e77aa26eb9862ca079a36cbfe64a4"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-01T20:51:29Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b0976053b6f5b970d521fc6f2cd0030461c894eea864125b84d21b6633ee6eaa",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:51:34Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:51:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/150382b1-8984-4ec1-839f-f220564e2885",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:46:30Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index-min",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp-pac36ab79159b4899339ff257c3d30f4b11-build-image-index",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72741",
                "uid": "150382b1-8984-4ec1-839f-f220564e2885"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.3@sha256:fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:46:43Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:46:43Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac36ab79159b4899b4ed858042d691e383e802c382b2fa94-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "fbb362f21e559606f8941cde6a2c0507c8af6cfc8bee88ffc38032e8e80b4b7e"
                        },
                        "entryPoint": "build-image-index-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                    }
                ],
                "startTime": "2026-07-01T20:46:30Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e9efe734e7662c95f5283aa1da35f4bd8f0970e798bea44c5c25e09f20d51377",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:46:39Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:46:35Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://64de2eb0a21711f92ddaa90c29bc4bbf795ff21b51eb2e8b40ad12a9e368206c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:46:40Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:46:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://240da3a51b1f7ac449b05256323edb64037412e06236248f6985ab21e138ca85",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:46:43Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:46:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2@sha256:c053fa06d890a87c588cf7e2b02490f3a8269fbdf161912c2e4a180cd1c0f597"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n  --image \"$IMAGE\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --buildah-format \"$BUILDAH_FORMAT\" \\\n  --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n  --additional-tags \"test-comp-pac36ab79159b4899339ff257c3d30f4b11-build-image-index\" \\\n  --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n  --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n  --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n  --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n  --result-path-images \"/tekton/results/IMAGES\" \\\n  --images \"$@\"; then\n  echo \"Failed to build image index\"\n  exit 1\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "build.appstudio.redhat.com/commit_sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tfoqsv",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-push",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request 'Konflux update test-comp-pac-forgejo-8iazc4' (#1) from konflux-test-comp-pac-forgejo-8iazc4 into base-forgejo-2ikinu\n",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/02c59798-052a-4e54-9378-a563f9522a73/records/0033079e-6596-4d2c-a8a4-20658ec1c706",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"fe95951faac33924a337b79cd4bdfc14d7db2801\",\"eventType\":\"push\"}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/02c59798-052a-4e54-9378-a563f9522a73",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux"
                },
                "creationTimestamp": "2026-07-01T20:51:43Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:53Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-push",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "fe95951faac33924a337b79cd4bdfc14d7db2801",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                    "tekton.dev/pipelineRunUID": "02c59798-052a-4e54-9378-a563f9522a73",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies-oci-ta-min"
                },
                "name": "test-comp32a7efb7fa90eb16d07eddc6eefb358c-prefetch-dependencies",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-push-9s8df",
                        "uid": "02c59798-052a-4e54-9378-a563f9522a73"
                    }
                ],
                "resourceVersion": "72780",
                "uid": "0033079e-6596-4d2c-a8a4-20658ec1c706"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    },
                    {
                        "name": "enable-package-registry-proxy",
                        "value": "true"
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:6fcf80cb8bdc7c9f95b8da542e4432ef01e5bd661f17b127a1882f5590adcb2f"
                    },
                    {
                        "name": "ociStorage",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:fe95951faac33924a337b79cd4bdfc14d7db2801.prefetch"
                    },
                    {
                        "name": "ociArtifactExpiresAfter",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:78c5f696f6f7db7436060a91eb05252f913363caed46c05ad5a4b09957aa4197"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-tfoqsv"
                        }
                    }
                ]
            },
            "status": {
                "completionTime": "2026-07-01T20:51:43Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:51:43Z",
                        "message": "failed to create task run pod \"test-comp32a7efb7fa90eb16d07eddc6eefb358c-prefetch-dependencies\": translating TaskSpec to Pod: serviceaccounts \"build-pipeline-test-comp-pac-forgejo-8iazc4\" not found. Maybe missing or invalid Task forgejo-rep-qw6s/",
                        "reason": "PodCreationFailed",
                        "status": "False",
                        "type": "Succeeded"
                    }
                ],
                "podName": "",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "78c5f696f6f7db7436060a91eb05252f913363caed46c05ad5a4b09957aa4197"
                        },
                        "entryPoint": "prefetch-dependencies-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min"
                    }
                },
                "startTime": "2026-07-01T20:51:43Z",
                "steps": [
                    {
                        "name": "skip-ta",
                        "provenance": {}
                    },
                    {
                        "name": "use-trusted-artifact",
                        "provenance": {}
                    },
                    {
                        "name": "prefetch-dependencies",
                        "provenance": {}
                    },
                    {
                        "name": "create-trusted-artifact",
                        "provenance": {}
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "service-ca.crt",
                            "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.",
                            "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "openshift-service-ca.crt",
                            "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.",
                            "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Use the package registry proxy when prefetching dependencies",
                            "name": "enable-package-registry-proxy",
                            "type": "string"
                        },
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.",
                            "name": "ociArtifactExpiresAfter",
                            "type": "string"
                        },
                        {
                            "description": "The OCI repository where the Trusted Artifacts are stored.",
                            "name": "ociStorage",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.",
                            "name": "CACHI2_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/var/workdir",
                                "name": "workdir"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "INPUT"
                                },
                                {
                                    "name": "SOURCE_ARTIFACT",
                                    "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:6fcf80cb8bdc7c9f95b8da542e4432ef01e5bd661f17b127a1882f5590adcb2f"
                                }
                            ],
                            "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776104705@sha256:fe688da81a696387ca53a4c19231e99289591f990c904ef913c51b6e87d4e4df",
                            "name": "skip-ta",
                            "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n  mkdir -p /var/workdir/source\n  mkdir -p /var/workdir/cachi2\n  echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n  echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n  echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n  echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n"
                        },
                        {
                            "args": [
                                "use",
                                "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:6fcf80cb8bdc7c9f95b8da542e4432ef01e5bd661f17b127a1882f5590adcb2f=/var/workdir/source"
                            ],
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:fb7ce11be542bc524be2c5ea78fd73c87a8a8cbf333905fcdf8b7cb700ad178a",
                            "name": "use-trusted-artifact"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/var/workdir/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/var/workdir/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILES",
                                    "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                },
                                {
                                    "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY",
                                    "value": "true"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.50.1@sha256:429936e9da7f2f073bc18bf8bfa0a607f1a98a37a506540171860039aee6960d",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n  echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n  cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n  UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/service-ca",
                                    "name": "service-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "args": [
                                "create",
                                "--store",
                                "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:fe95951faac33924a337b79cd4bdfc14d7db2801.prefetch",
                                "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source",
                                "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_EXPIRES_AFTER"
                                }
                            ],
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:fb7ce11be542bc524be2c5ea78fd73c87a8a8cbf333905fcdf8b7cb700ad178a",
                            "name": "create-trusted-artifact"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "service-ca.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "openshift-service-ca.crt",
                                "optional": true
                            },
                            "name": "service-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/commit_sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "build.appstudio.redhat.com/pull_request_number": "1",
                    "build.appstudio.redhat.com/target_branch": "base-forgejo-2ikinu",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-forgejo-2ikinu",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-liyjlq",
                    "pipelinesascode.tekton.dev/git-provider": "gitea",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/forgejo-rep-qw6s/pipelinerun/test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-forgejo-2ikinu\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft/commit/901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://codeberg.org/konflux-qe/konflux-test-integration-2vh4ft",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341/records/23ef1f99-4c37-4639-87bf-7f085ef51928",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-2vh4ft\",\"commit\":\"901da5d9297ab0112eadb95a2738a1ed68a2d8c2\",\"eventType\":\"pull_request\",\"pull_request-id\":1}",
                    "results.tekton.dev/result": "forgejo-rep-qw6s/results/81d990f3-6461-4b79-8c49-e80950843341",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-forgejo-8iazc4",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:37:23Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-01T20:51:52Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-d1cc",
                    "appstudio.openshift.io/component": "test-comp-pac-forgejo-8iazc4",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-forgejo-8iazc4-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "1",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-forgejo-8iazc4",
                    "pipelinesascode.tekton.dev/sha": "901da5d9297ab0112eadb95a2738a1ed68a2d8c2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-2vh4ft",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRun": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                    "tekton.dev/pipelineRunUID": "81d990f3-6461-4b79-8c49-e80950843341",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies-oci-ta-min",
                    "test.appstudio.openshift.io/pr-group-sha": "1c85893a4b37f9d5740645871e4a0311d5f9f3687d8d71d85618d917301b05"
                },
                "name": "test-comp36ab79159b4899339ff257c3d30f4b11-prefetch-dependencies",
                "namespace": "forgejo-rep-qw6s",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-forgejo-8iazc4-on-pull-request-dzpbv",
                        "uid": "81d990f3-6461-4b79-8c49-e80950843341"
                    }
                ],
                "resourceVersion": "72746",
                "uid": "23ef1f99-4c37-4639-87bf-7f085ef51928"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    },
                    {
                        "name": "enable-package-registry-proxy",
                        "value": "true"
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc"
                    },
                    {
                        "name": "ociStorage",
                        "value": "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2.prefetch"
                    },
                    {
                        "name": "ociArtifactExpiresAfter",
                        "value": "5d"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-forgejo-8iazc4",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies-oci-ta-min"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:78c5f696f6f7db7436060a91eb05252f913363caed46c05ad5a4b09957aa4197"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-liyjlq"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:38:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:38:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp36ab79159b4899339f4ae29f9d6ebd26a62c68a95f095c628e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "78c5f696f6f7db7436060a91eb05252f913363caed46c05ad5a4b09957aa4197"
                        },
                        "entryPoint": "prefetch-dependencies-oci-ta-min",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min"
                    }
                },
                "results": [
                    {
                        "name": "CACHI2_ARTIFACT",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "SOURCE_ARTIFACT",
                        "type": "string",
                        "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc"
                    }
                ],
                "startTime": "2026-07-01T20:37:23Z",
                "steps": [
                    {
                        "container": "step-skip-ta",
                        "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:fe688da81a696387ca53a4c19231e99289591f990c904ef913c51b6e87d4e4df",
                        "name": "skip-ta",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://650079b86e5aa0053153d88f86cb5552bf03993f98a9dea59224da86b4615200",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:37:49Z",
                            "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:37:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-use-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:fb7ce11be542bc524be2c5ea78fd73c87a8a8cbf333905fcdf8b7cb700ad178a",
                        "name": "use-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://72e06902453e85f8c35f1ce6e4a11fd589c198fee63354261f23a76ec37e83c3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:37:50Z",
                            "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:37:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:429936e9da7f2f073bc18bf8bfa0a607f1a98a37a506540171860039aee6960d",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://39c2e280cb5a5176230f0ad83d6d2056678ef697b2962051fb8575bc0afa074e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:38:40Z",
                            "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:37:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-trusted-artifact",
                        "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:fb7ce11be542bc524be2c5ea78fd73c87a8a8cbf333905fcdf8b7cb700ad178a",
                        "name": "create-trusted-artifact",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b0f5c8741b5c294b19bc3f9c1a78f55fb4a2af356d548ae40dd41487d9edb0f6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:38:41Z",
                            "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:38:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "service-ca.crt",
                            "description": "The name of the key in the ConfigMap that contains the service CA bundle data. Used to verify TLS connections to in-cluster services such as the package registry proxy.",
                            "name": "SERVICE_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "openshift-service-ca.crt",
                            "description": "The name of the ConfigMap to read service CA bundle data from. Used to verify TLS connections to in-cluster services such as the package registry proxy.",
                            "name": "SERVICE_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Use the package registry proxy when prefetching dependencies",
                            "name": "enable-package-registry-proxy",
                            "type": "string"
                        },
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.",
                            "name": "ociArtifactExpiresAfter",
                            "type": "string"
                        },
                        {
                            "description": "The OCI repository where the Trusted Artifacts are stored.",
                            "name": "ociStorage",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.",
                            "name": "CACHI2_ARTIFACT",
                            "type": "string"
                        },
                        {
                            "description": "The Trusted Artifact URI pointing to the artifact with the application source code.",
                            "name": "SOURCE_ARTIFACT",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/var/workdir",
                                "name": "workdir"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "INPUT"
                                },
                                {
                                    "name": "SOURCE_ARTIFACT",
                                    "value": "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc"
                                }
                            ],
                            "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776104705@sha256:fe688da81a696387ca53a4c19231e99289591f990c904ef913c51b6e87d4e4df",
                            "name": "skip-ta",
                            "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n  mkdir -p /var/workdir/source\n  mkdir -p /var/workdir/cachi2\n  echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n  echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n  echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n  echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n"
                        },
                        {
                            "args": [
                                "use",
                                "oci:quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4@sha256:d82785bbe13affebfbbe73df403922c4ef4a1e600e9b99da620770e4f7249fbc=/var/workdir/source"
                            ],
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:fb7ce11be542bc524be2c5ea78fd73c87a8a8cbf333905fcdf8b7cb700ad178a",
                            "name": "use-trusted-artifact"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/var/workdir/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/var/workdir/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILES",
                                    "value": "/var/workdir/cachi2/cachi2.env /var/workdir/cachi2/prefetch.env /var/workdir/cachi2/prefetch-env.json"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                },
                                {
                                    "name": "KBC_PD_ENABLE_PACKAGE_REGISTRY_PROXY",
                                    "value": "true"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.50.1@sha256:429936e9da7f2f073bc18bf8bfa0a607f1a98a37a506540171860039aee6960d",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nSERVICE_CA_BUNDLE_PATH=/mnt/service-ca/ca-bundle.crt\nUPDATE_CA_TRUST=false\n\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  echo \"Using mounted CA bundle: $CA_BUNDLE_PATH\"\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  UPDATE_CA_TRUST=true\nfi\n\nif [ -f \"$SERVICE_CA_BUNDLE_PATH\" ]; then\n  echo \"Using mounted service CA bundle: $SERVICE_CA_BUNDLE_PATH\"\n  cp -vf \"$SERVICE_CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors/service-ca.crt\n  UPDATE_CA_TRUST=true\nfi\n\nif [ \"$UPDATE_CA_TRUST\" = \"true\" ]; then\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/service-ca",
                                    "name": "service-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "args": [
                                "create",
                                "--store",
                                "quay.io/redhat-appstudio-qe/forgejo-rep-qw6s/test-comp-pac-forgejo-8iazc4:on-pr-901da5d9297ab0112eadb95a2738a1ed68a2d8c2.prefetch",
                                "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source",
                                "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_EXPIRES_AFTER",
                                    "value": "5d"
                                }
                            ],
                            "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:fb7ce11be542bc524be2c5ea78fd73c87a8a8cbf333905fcdf8b7cb700ad178a",
                            "name": "create-trusted-artifact"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "service-ca.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "openshift-service-ca.crt",
                                "optional": true
                            },
                            "name": "service-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/89d77946-3ff0-4f64-9a13-be775c6c639a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "kon9bfe6fa80749e4cc7d0aca2de9f832bb-coverity-availability-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "31434",
                "uid": "89d77946-3ff0-4f64-9a13-be775c6c639a"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:14Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:14Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon9bfe6fa80749e4cc7d0aca2dc28daeaf76d17b0ae293a8861110ca65-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-01T20:03:12+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:02Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6fd1157e5f9537b15146e9d14114a2507f96b1d3051c26c669c023f710824d28",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:12Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:12+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:12Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/f8ca7ca5-12cf-485b-ad0f-0324276e8442",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "kon9bfe6fa80749e4cc7d0aca2de9f832bb-deprecated-base-image-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "31631",
                "uid": "f8ca7ca5-12cf-485b-ad0f-0324276e8442"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:19Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:19Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon9bfe6fa80749e4cc7d0aca2d1fc03f9604058988a5a8de779cb47973-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\", \"digests\": [\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:03:18+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:01Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e430ec4f975fa2d5a186a23fe2be19c72f1e6c2e6880a8648898acf8446c4392",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:18Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\\\", \\\"digests\\\": [\\\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:18+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:09Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/68b29d2e-40da-4da5-bb60-f535e280bdbe",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "kon9ea13f6b01823c3368acc1a9ee219a20-coverity-availability-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "25913",
                "uid": "68b29d2e-40da-4da5-bb60-f535e280bdbe"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon9ea13f6b01823c3368acc1a9e9b51a794bf5a1d88c869938c8dd3156-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-01T19:57:43+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:57:33Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c1029be5292273189dcfc30eaa7ca8278f20be27390fff03c20a8dc149e007c7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:43Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-01T19:57:43+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:43Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/461ba8e5-29eb-4da8-a394-bbdf0f5a6c70",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "kon9ea13f6b01823c3368acc1a9ee219a20-deprecated-base-image-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "26300",
                "uid": "461ba8e5-29eb-4da8-a394-bbdf0f5a6c70"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon9ea13f6b01823c3368acc1a9e0f61b157f573a0212572596f6f27266-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\", \"digests\": [\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:57:47+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:57:31Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://808a1482727d07eaaebc714b908be65c88956cc9dcf67ee776f75ea6943ee910",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:47Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\\\", \\\"digests\\\": [\\\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:57:47+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:38Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5cec0b7bb9",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/8bc614f3-b043-48b5-9964-9cd7fc1a9e71",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:59:59Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-t9bfe6fa80749e4cc7d0aca2de9f832bb-prefetch-dependencies",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "29372",
                "uid": "8bc614f3-b043-48b5-9964-9cd7fc1a9e71"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-8fb53a5d65"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-aviltz"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:00:10Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:00:10Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-t9bfe6fa80749e4cc7d65b26293c6a42fab8309a4bc44afb71d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-01T20:00:00Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://30257dc8e68d54e1e3d84c72a75d7251eccf5cb0dc98293b50765b5295fd5b6d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:00:10Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:00:03Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f760d7c944",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/64a87787-c587-429a-8206-4025e875b685",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:54:29Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-t9ea13f6b01823c3368acc1a9ee219a20-prefetch-dependencies",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "23549",
                "uid": "64a87787-c587-429a-8206-4025e875b685"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-511e42ba6b"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-bepfzk"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:54:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:54:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-t9ea13f6b01823c3368a2518f3990f94d03fee1be6fcb48ee94-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-01T19:54:29Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7a9f645bd71b44a8cb3fab9e8c71b0508896c6406e5aa969124f9c328e7ff070",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:54:39Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:33Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/85270252-5e8b-4840-8f10-581f184b891c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:02Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-tes9bfe6fa80749e4cc7d0aca2de9f832bb-rpms-signature-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "32336",
                "uid": "85270252-5e8b-4840-8f10-581f184b891c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tes9bfe6fa80749e4cc2470e3c466a076f2431d8d9b0974b0c5-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\", \"digests\": [\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:03:40+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:05Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://07ad197959965faa63d21e9e384485a8bec7d8a81e0a1ea2a089327586c3a7d0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:39Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b1375ac947fe7db727199982b611210bf30e416f58d42288eec5a3587d6ad943",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:41Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\\\", \\\"digests\\\": [\\\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:40+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/fcecaaf9-a11f-4661-a2c0-4d950a165bff",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:32Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-tes9ea13f6b01823c3368acc1a9ee219a20-rpms-signature-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "27277",
                "uid": "fcecaaf9-a11f-4661-a2c0-4d950a165bff"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tes9ea13f6b01823c3357ef9ccc58b1f1cf25b72a8c8dc2eec0-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\", \"digests\": [\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:58:07+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:57:35Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://76a32d8aaa31487ab6b4bf38980e916b8372dce74ef7c3a9b82db6d9c3cad10b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:07Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:45Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e9983d36da19c17322d8c934b12b08579c80180c1cf7f9515b8f7559969a7d47",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:08Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\\\", \\\"digests\\\": [\\\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:07+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/b6c74a1f-8f57-4f46-aac1-2d9f74e24b91",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:02:49Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-9bfe6fa80749e4cc7d0aca2de9f832bb-build-image-index",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "30848",
                "uid": "b6c74a1f-8f57-4f46-aac1-2d9f74e24b91"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:01Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-9bfe6fa80749e45d43a5f333c7a81fe92302852b626e88-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    }
                ],
                "startTime": "2026-07-01T20:02:49Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e467938735c4bb270ff46f6e6aeddad2d2f76711bb1abd9491ad3e642f2e0933",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:02:56Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:02:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://95d5163788907b15f977f3dc1b82ae4440c67e3da68c119e79ff8358724bd9bf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:02:57Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:02:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://622f9b82c39d146c6be231f5cad6438244db4addb5343f9d23fba34c6191a8f9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:00Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:02:57Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-9bfe6fa80749e4cc7d0aca2de9f832bb-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-9bfe6fa80749e4cc7d0aca2de9f832bb-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/75ba269b-baa0-4848-9ae6-12a35b3f9d80",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:18Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-9ea13f6b01823c3368acc1a9ee219a20-build-image-index",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "25200",
                "uid": "75ba269b-baa0-4848-9ae6-12a35b3f9d80"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-9ea13f6b01823c47d80289c447fe4575f1a86be1bd0137-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    }
                ],
                "startTime": "2026-07-01T19:57:18Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b2d14bc2e7a9e2275a14df1c99d358531795dd416fdf1828d0149c11b06ac209",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:27Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://93de265fac26da87978e084122ab14325dc3409b2194d8d488e63a3f4b6f2383",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:27Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2a4bd0dea4cc0749a065571ee1f8d14caad95e891d5fcd275bd6a9e489a8676d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:31Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-9ea13f6b01823c3368acc1a9ee219a20-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-9ea13f6b01823c3368acc1a9ee219a20-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5cec0b7bb9",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/d76a3555-e3a9-45bd-bceb-095bf3e0b921",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:59:48Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-i9bfe6fa80749e4cc7d0aca2de9f832bb-clone-repository",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "29327",
                "uid": "d76a3555-e3a9-45bd-bceb-095bf3e0b921"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-8fb53a5d65"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-aviltz"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:59:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:59:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i9bfe6fa80749e4df79d3a5984d1626dad25cb983a03bc-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782935944"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "fd42ff4"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-01T19:59:48Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0942baf2f0a5b1bbdf6ebe8e20ad1e9ce2055108b68ff5d8330a6eb581fe0f80",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:54Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935944\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"fd42ff4\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://55427cf31fd3ad68601b9aad7a1e1cf667a7112fb94b2c6758d09dad2cd9dfa1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:54Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935944\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"fd42ff4\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5cec0b7bb9",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/12ce7a90-443c-4c93-94ea-a39da4c56358",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-i9bfe6fa80749e4cc7d0aca2de9f832bb-sast-shell-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "31446",
                "uid": "12ce7a90-443c-4c93-94ea-a39da4c56358"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-8fb53a5d65"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i9bfe6fa80749e4da28f2c3da31dda1da825dc6f488bcf-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:03:18+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:03Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2f4e95eee9de9285123f7846e8e6c6d9b24b04526614a325135c9e0a7c779432",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:18Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:18+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://73144f01abdd7a7a8928c41068237acc51c2aabf4addcede2f06ee14c1b4b347",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:20Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:18+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f760d7c944",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/47b6f71a-e781-405c-9b19-9dc24d02c495",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:54:20Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-i9ea13f6b01823c3368acc1a9ee219a20-clone-repository",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "23340",
                "uid": "47b6f71a-e781-405c-9b19-9dc24d02c495"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-511e42ba6b"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-bepfzk"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:54:28Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:54:28Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i9ea13f6b0182395e4eca6aff9f0f553c05cb25b34608b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782935613"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "0036204"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-01T19:54:21Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://28f2a5ebaf725f0648f235dbfe8eb963d94d9f8880c6b0a117124b93b50e245b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:54:26Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935613\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"0036204\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fb0f7e9ce92f681e2702a3421a523642e0d755c175f3949eb95a6d7edc06f95b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:54:27Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935613\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"0036204\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f760d7c944",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/9fd43a95-ebee-4e72-845a-5bf92f25c46b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-i9ea13f6b01823c3368acc1a9ee219a20-sast-shell-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "25951",
                "uid": "9fd43a95-ebee-4e72-845a-5bf92f25c46b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-511e42ba6b"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:51Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:51Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i9ea13f6b018238476e1c6f7291ae72f23c564d306cb2f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:57:46+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:57:33Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ba461542ff9e9b7e6a0f0e14f95d30390e8551ca08686d235da5efb577ae0b6a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:57:46+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d28242cf25574d31990e29632185327b144b16b4bd110383d8f1a50a4c23c8c8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:49Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:57:46+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5cec0b7bb9",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/cce22732-dbbb-48dd-bde1-8782e219ad1f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:00:12Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-in9bfe6fa80749e4cc7d0aca2de9f832bb-build-container",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "30574",
                "uid": "cce22732-dbbb-48dd-bde1-8782e219ad1f"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-8fb53a5d65"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:02:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:02:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9bfe6fa807490c0c93be21b3a07c91d2435d7311c92e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:4ac9d118239151691056a5b5e809f0e29dfc1d103fddf8071ba868e48a3c408a"
                    }
                ],
                "startTime": "2026-07-01T20:00:12Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6b6f99b2cd174b3ab36022473974ae1dfff58fd529958ccd27eca32e668ceedc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:01:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:00:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a2f81cc0a6d642d4d10ed13b5f7733e14b2fd0e9d4999951ad221417bbe4970c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:01:33Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:01:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a4ee97bada5e83a4003ca64d46835ded5d64f8976e5c0e012f05220dd5b760f6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:01:46Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:01:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://32eb7746ef7ec40a34a367b589a38cbc8aeaa66ebad2554fea8a6df024b800fc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:02:10Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:01:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8851fa777d8e71a93c1d9c1eef9884aafb5097fabe1f1d8cbb0b3a253355070c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:02:48Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1@sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:4ac9d118239151691056a5b5e809f0e29dfc1d103fddf8071ba868e48a3c408a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:02:10Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-in9bfe6fa80749e4cc7d0aca2de9f832bb-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5cec0b7bb9",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/a6dd520b-4112-4045-a726-f3afa9d94ba5",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-in9bfe6fa80749e4cc7d0aca2de9f832bb-push-dockerfile",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "31559",
                "uid": "a6dd520b-4112-4045-a726-f3afa9d94ba5"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-8fb53a5d65"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:18Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:18Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9bfe6fa8074914cb9b58e0e5865623a421b7847d87fe-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:2950dba83483860bda4cd01df19b4b41ed1b0b0f93bed522c908a37fe8f467a7"
                    }
                ],
                "startTime": "2026-07-01T20:03:05Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6f744eedd4850251f9b65a3c635c4953ec589fd473db60ba6d6103e1376bc28d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:17Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:2950dba83483860bda4cd01df19b4b41ed1b0b0f93bed522c908a37fe8f467a7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:16Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                                "--image-digest",
                                "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5cec0b7bb9",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/bb92fb48-e92a-4ab6-89bc-347b3c94069f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-in9bfe6fa80749e4cc7d0aca2de9f832bb-sast-snyk-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "31372",
                "uid": "bb92fb48-e92a-4ab6-89bc-347b3c94069f"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-8fb53a5d65"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:18Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:18Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9bfe6fa80749bc70567d5ed7a76eea44c4f1104ef685-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-01T20:03:16+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:02Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3082bb526d75eb6083c4225419c08d685e5d62409fd526a2b41b999e5328baf2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:16Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:16+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://986b6a559b363fe16bb2c2b93e250f20681f479fb533e6f1274670d13ad032a8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:17Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:16+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:16Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f760d7c944",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/a7c3f66c-8537-4201-842b-291c24ab8544",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:54:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-in9ea13f6b01823c3368acc1a9ee219a20-build-container",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "24851",
                "uid": "a7c3f66c-8537-4201-842b-291c24ab8544"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-511e42ba6b"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:18Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:18Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9ea13f6b0182712addeeca86422a10a8cf1d10e80705-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:92e310b858b71faa7665d8f51478a21026e1e14f1f9416c2bffdc3aed783d2ef"
                    }
                ],
                "startTime": "2026-07-01T19:54:41Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2df5e3db7f22df4c9a6efc8c8f9e66210880e853667e26003070314739006a22",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:55:34Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ed1b6f3adc4e933c09c355e9c09e450b69bded0f5158a6c23a09fb7ed81d680f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:56:01Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:55:35Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7fdabc82e2ec57a7ff18ede9724b0b80200a03d07548fa94c4dd14bfa3527db9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:56:15Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:56:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f9d71675072f6265b8be7966ff2eb8c5f4ad14b4f47e7417cb1ba9ef965771b9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:56:39Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:56:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cf8666b0e5fc0a567080358b397655ba5f9fe6cfb45ded9d4a8e72f1215d5e3a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:17Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a@sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:92e310b858b71faa7665d8f51478a21026e1e14f1f9416c2bffdc3aed783d2ef\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:56:39Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-in9ea13f6b01823c3368acc1a9ee219a20-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f760d7c944",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/d09907d0-7787-4674-a1ee-55b7a02cd2cc",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:32Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-in9ea13f6b01823c3368acc1a9ee219a20-push-dockerfile",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "26193",
                "uid": "d09907d0-7787-4674-a1ee-55b7a02cd2cc"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-511e42ba6b"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9ea13f6b018241e767f81db273b2a0075077fcb18963-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:1101e10d9681080ea2aacacc9d51488162ac8a168fbf0d12c1db1c5e36e82453"
                    }
                ],
                "startTime": "2026-07-01T19:57:34Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5a78f195ee8e92287b5a091900b40ec76ee626e7b8fcb80bdc2679133d58ad99",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:45Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc@sha256:1101e10d9681080ea2aacacc9d51488162ac8a168fbf0d12c1db1c5e36e82453\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:43Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                                "--image-digest",
                                "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f760d7c944",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/12952eb3-c3ab-4891-9959-c34d9a4cb05b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-in9ea13f6b01823c3368acc1a9ee219a20-sast-snyk-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "25775",
                "uid": "12952eb3-c3ab-4891-9959-c34d9a4cb05b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-511e42ba6b"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in9ea13f6b0182182e065c1478de5c6fe2a6d6cd21ba53-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-01T19:57:45+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:57:32Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://24fae6e1a41a9555afde2ad5003a5b19baa82ef84d74be4fc02906d2c612b7fe",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:45Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T19:57:45+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://334b893c4b35af32b733420253c7affb7ed58a03c90e400afbf3754d27b72905",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:45Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T19:57:45+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/3e457de2-cecf-4f1c-890a-6660d7bd3285",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-integr9bfe6fa80749e4cc7d0aca2de9f832bb-clamav-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "33606",
                "uid": "3e457de2-cecf-4f1c-890a-6660d7bd3285"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:04:02Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:04:02Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integr9bfe6fa8b9930f961a483f46199168047a661a1a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\", \"digests\": [\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782936236\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:02Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:2da6c1a37fef998b68b675505fb654b1123e3cd889c190c59b4527d11621e8fc",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://34b1dc704177bff240ed493b54c6ec8c83dfa69e637f5e26d14775b2f93d084c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:56Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\\\", \\\"digests\\\": [\\\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782936236\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0129a7e7bbe75ee307203bb0e3a356570fce972b27ae7fed0541c75f2cd1d696",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:59Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\\\", \\\"digests\\\": [\\\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782936236\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:56Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/0b236cd2-96a1-482b-897d-a0174239522a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-integr9ea13f6b01823c3368acc1a9ee219a20-clamav-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "27642",
                "uid": "0b236cd2-96a1-482b-897d-a0174239522a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:28Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:28Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integr9ea13f6bf4cff083324f1beff5703f0d375d7fcd-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\", \"digests\": [\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782935902\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-01T19:57:32Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:2da6c1a37fef998b68b675505fb654b1123e3cd889c190c59b4527d11621e8fc",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://91afab6ddf570c3e7419b7c477adcdb9903d39ddc3d7355792ea37c8c26c973a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:23Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\\\", \\\"digests\\\": [\\\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782935902\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://03d30fc57b8c9b20a886d9a06b2d90051f29659f5afd604736ce8ad72ba5de88",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:26Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\\\", \\\"digests\\\": [\\\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782935902\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:23Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/5a30ba5e-acf1-4fb3-a086-34bf9114fb02",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-integra9bfe6fa80749e4cc7d0aca2de9f832bb-apply-tags",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "31515",
                "uid": "5a30ba5e-acf1-4fb3-a086-34bf9114fb02"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra9bfe6fad2d35f1342458b203846d62b977a0897-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-01T20:03:04Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6951ac80086ecfbfe2b64680aa0443e1a3b7ddc1030cd2edfbcaf4ee34efe23a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:15Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:15Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                                "--digest",
                                "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/cee60043-f470-4656-a750-ee9313651506",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-integra9bfe6fa80749e4cc7d0aca2de9f832bb-clair-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "32449",
                "uid": "cee60043-f470-4656-a750-ee9313651506"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra9bfe6fa3b5b429c16675a0e5ca20bd9c31161fa-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\", \"digests\": [\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\":\"sha256:de0e2e8567092aa7ca070add13f6c638c1e6ba31b5be6f52eb47778fad72c648\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:03:47+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:01Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://eec7047946028eac64f72132df01d265489a828da9424e2f5625b9b8ff0b4e5e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:19Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b458f18a62b00cd9486703c3e4a8f4320a27adf08cbf39561974fbcd65f52eb7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:39Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0074b65b96dd5fc85cb1d7c30b4dd222d22d858b4720becbe27f3603f5c602e8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:42Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://380981c00bdf3e2306bed0d39906283c83472a51fb04b8dba99008f7378e5f5c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:47Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\\\", \\\"digests\\\": [\\\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\\\":\\\"sha256:de0e2e8567092aa7ca070add13f6c638c1e6ba31b5be6f52eb47778fad72c648\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:47+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:42Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/3cd7de97-2b92-4e46-b6cb-22e1d55607d3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-integra9ea13f6b01823c3368acc1a9ee219a20-apply-tags",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "26061",
                "uid": "3cd7de97-2b92-4e46-b6cb-22e1d55607d3"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra9ea13f64dadbad8cd01f7496b1e70d08a5f2b56-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-01T19:57:34Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1a63f7e0d2ce42df32eb1702a8aa67e153553f124562d57ee900904cb029266c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:43Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:42Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                                "--digest",
                                "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/6ffe3da9-3433-404f-89df-3c0631f43267",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-integra9ea13f6b01823c3368acc1a9ee219a20-clair-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "27284",
                "uid": "6ffe3da9-3433-404f-89df-3c0631f43267"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra9ea13f696efa3e1e241f1381229db67fbd3aa23-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\", \"digests\": [\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\":\"sha256:c40ff72600ab1f5c666b2a1e2c138640e8cf5ee49ddc6ab0ef3ed582a85ebfc0\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:58:19+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:57:31Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3e328ff2f27272610f3f2def7aff8a8efb25a5bb64af8c647ef8e70b5b50350f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:48Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://45ba16511033e51a014f08ca1810d2571281688b7e79c6123e9f50db8a34dfb5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:12Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b9d7fe5c93e5787cbdaed6916708b0ebb04de5a9cb6310d53f260e0e7f9cdaf4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:14Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:12Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2a47b229f669332b622355e9b1fe6ca30edc910e551f1fd861b2e964405766d1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:19Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\\\", \\\"digests\\\": [\\\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\\\":\\\"sha256:c40ff72600ab1f5c666b2a1e2c138640e8cf5ee49ddc6ab0ef3ed582a85ebfc0\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:19+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:15Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/40be3846-dd91-4255-b444-3f2184c1abe6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:59:40Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-integration-c9bfe6fa80749e4cc7d0aca2de9f832bb-init",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "29245",
                "uid": "40be3846-dd91-4255-b444-3f2184c1abe6"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:59:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:59:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-c9a88f658062dc88ead94a97de074188a5-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-01T19:59:40Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7ed5c4b6a4a7a9be5b385f861a7b1e4dd7ee5ea90290a76bbc398b96a1a6e8e6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:45Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/22e9949a-7414-4679-b56f-002aee216c08",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:54:13Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-integration-c9ea13f6b01823c3368acc1a9ee219a20-init",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "23199",
                "uid": "22e9949a-7414-4679-b56f-002aee216c08"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:54:17Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:54:17Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-c9c764d48ea24fa768bee357f27ca9beeb-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-01T19:54:13Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7d6ec81f1cca80cb80a641cacf3d768b3b92ed2a41058fc230479d5a63216377",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:54:17Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:17Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/485f370b-3143-4837-b690-978911484f3d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test-integration-clone-71238ebb8f9ee1b5601423c18596f6c1",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "32498",
                "uid": "485f370b-3143-4837-b690-978911484f3d"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cla1fbc1b2524a96e6705db4abd7a5d385-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\", \"digests\": [\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936226\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:03:01Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://86b838b3a3897f87a7e72ff6327dfcb9b94775e0f18a9f3a9d73efa0ec9dc9ea",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:18Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://503f6ab6c9c1580c3a7fc9f5e0b3e8e8933b5b32b65b9d8760be29b2d351b2ac",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:18Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2d134e63cb04cfd9ef17099704f2cc93c01ba794be99cef29df49e096ed21278",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:19Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:19Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6bdbca1db611d0898a34e384822bcfa3160696031a5eabfa1152389d2ad82a0c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:45Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\", \"digests\": [\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936226\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://3cd87c175a29c4f25d2300460b67c842b3182ae8614bdd5cbc607d156af8016b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:46Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\\\", \\\"digests\\\": [\\\"sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782936226\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:46Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936226\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://a49ad7eba533817a279ea692ed03bf98c16308e54f16bf6f01098b98413dffa0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:47Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782936226\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/c94647c8-e8fb-4364-a389-b1de3a8b6ce5",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test-integration-clone-a50aad64db011f5127a6023a60e6e888",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "27302",
                "uid": "c94647c8-e8fb-4364-a389-b1de3a8b6ce5"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:15Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:15Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cl00fd91d4b9209fd5afc62f3f0eb0c991-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\", \"digests\": [\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935893\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T19:57:31Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://509c1c8ea1d8008a0461e98b290bdb9d74e3d6065105110b09eb64f55415fef9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:45Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://7b1703a31f402b5526aba1edd4360266a602f1dc8f67ce682dd27e6c7fe6cc52",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:46Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:46Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://054c17f5c65e7d61d7bccd5f8b48f20d8b9ca6f6e2a7ba26844271d45cd3503c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:47Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:47Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://34136e4d0581e8d878422f67cf22139d635b76a5de2dcecd6c4c755884ad838a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:13Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\", \"digests\": [\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935893\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://20b57ea30e2e9bf9df6beee8989f98cbef5626c627a281c29a2e92ea465d7d05",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:14Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a\\\", \\\"digests\\\": [\\\"sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782935893\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:13Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935893\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://3c4ca5d29e231e847194905e73a6e3988bef72a7e113b814154e7902b972c6ea",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:14Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782935893\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:14Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/commit_sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "build.appstudio.redhat.com/pull_request_number": "9603",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-5cec0b7bb9",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-aviltz",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b/records/922f0840-022e-4dc9-a5d7-2fecb88fe55e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1\",\"eventType\":\"pull_request\",\"pull_request-id\":9603}",
                    "results.tekton.dev/result": "group-5ld1/results/f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:01Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624988824",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9603",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                    "tekton.dev/pipelineRunUID": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "konflux-test9bfe6fa80749e4cc7d0aca2de9f832bb-sast-unicode-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-jgdkl",
                        "uid": "f11cb7c9-14a3-4f4b-a44f-2f13afd2546b"
                    }
                ],
                "resourceVersion": "31490",
                "uid": "922f0840-022e-4dc9-a5d7-2fecb88fe55e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-8fb53a5d65"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test9bfe6fa80749e4c1182324d498bc2318cfd0c2ddef43b84-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:03:18+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:03Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://76adfbc20f6ac671146931823cf565b7036e777d5b54a78a49857cba3169a5f1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:18Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:18+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9009be9ce95f14bc9a395326820db7a96c18f47766e0477a4e3ed4e344c366a3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:20Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:03:18+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-fd42ff4a0c438c447ba957fd70dd13dfcc45d5b1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:4da9116813499c192200deada8ca05c71bdeb8fa4ff464ab73e6db06892eeefd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/commit_sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "build.appstudio.redhat.com/pull_request_number": "9602",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f760d7c944",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bepfzk",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0/records/f22621bb-1f91-4ff2-bfb9-447a59458830",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"00362042ee0a506d4600c0af6f0f8cd2ad28449a\",\"eventType\":\"pull_request\",\"pull_request-id\":9602}",
                    "results.tekton.dev/result": "group-5ld1/results/75307ac8-3355-4c95-9543-396183a6fac0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-mi8igc",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:57:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-mi8igc",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624000613",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-mi8igc-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9602",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-mi8igc",
                    "pipelinesascode.tekton.dev/sha": "00362042ee0a506d4600c0af6f0f8cd2ad28449a",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                    "tekton.dev/pipelineRunUID": "75307ac8-3355-4c95-9543-396183a6fac0",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "b2c21b4d2a28c1f229abe445a316c65bc14cba1c5e920bcd2e3bb2810a480a"
                },
                "name": "konflux-test9ea13f6b01823c3368acc1a9ee219a20-sast-unicode-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-mi8igc-on-pull-request-225ds",
                        "uid": "75307ac8-3355-4c95-9543-396183a6fac0"
                    }
                ],
                "resourceVersion": "26021",
                "uid": "f22621bb-1f91-4ff2-bfb9-447a59458830"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-mi8igc",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-511e42ba6b"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:48Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:48Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test9ea13f6b01823c379a0bdbff619814c2001caf1e4270e25-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:57:46+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:57:33Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2e50d1cf243b6c77871693900d6748d871991b1f080eeed1e74e167a16d05752",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:57:46+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0e9ea30c2ad011f9d2064e32ae701891fad9d46b1a4fb9ea6e10d3f6155d4884",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:48Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:57:46+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/konflux-test-integration-clone-mi8igc:on-pr-00362042ee0a506d4600c0af6f0f8cd2ad28449a"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:b7c05122c79342e4511cc0d0a04b558025f442f7027754575be0d63dfc9ea5cf"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/adb19c7a-b224-418b-bbcb-a30a9b446c10",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check"
                },
                "name": "pyt00848fef46b1364d1b2d2480b10f8589-coverity-availability-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "26581",
                "uid": "adb19c7a-b224-418b-bbcb-a30a9b446c10"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt00848fef46b1364d1b2d248048b6d9e75113cf665609683898947faf-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-01T19:58:15+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:58:01Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://600a1e47bb87a13048251da486e50ac98327828fafbfa2aa2f6693dac9973dfe",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:15Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:15+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:15Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/9c3820aa-6a5c-4f09-b980-d639d9eade5a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check"
                },
                "name": "pyt00848fef46b1364d1b2d2480b10f8589-deprecated-base-image-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "27381",
                "uid": "9c3820aa-6a5c-4f09-b980-d639d9eade5a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt00848fef46b1364d1b2d2480fe4710ddc79eac21ea5d03e4dbf4e665-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\", \"digests\": [\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:58:21+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:58:00Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9c91139e9653bbd0bac4cd5fe7bd2e9263c05afe09ab6ec8f884b987f51460e2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:21Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\\\", \\\"digests\\\": [\\\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:21+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:12Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/5e7f2217-ebda-4574-b6f3-7a3175df490d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "pyt0335ee6cf8ed62a1cdc0e1208a76147f-coverity-availability-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "40072",
                "uid": "5e7f2217-ebda-4574-b6f3-7a3175df490d"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:11:36Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:11:36Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt0335ee6cf8ed62a1cdc0e120e5d78b98b09ccb8b23f6e2cdd6c63d28-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-01T20:11:35+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:11:19Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3b91a2991da76a0533103b1d92bf728171e8ff7f67350fc84f20f65ccd9efa40",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:35Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-01T20:11:35+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/e8ec953e-5674-489c-b466-4f5e21dec4c0",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "pyt0335ee6cf8ed62a1cdc0e1208a76147f-deprecated-base-image-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "41155",
                "uid": "e8ec953e-5674-489c-b466-4f5e21dec4c0"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:12:48Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:12:48Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt0335ee6cf8ed62a1cdc0e120850b91e1de248065bd52adb3a762e11d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\", \"digests\": [\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:12:47+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:11:18Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c9a7841e694ed7e3df3ea61e1afdb7b0aef4fa8c77e776a89e3cb3b4398ce3f5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:47Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\\\", \\\"digests\\\": [\\\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:12:47+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:12:38Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/b7c0f39e-aa32-4801-bf9d-fa1cdd328e7a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "pyt732174834667a745014b53612903a4cf-coverity-availability-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "20801",
                "uid": "b7c0f39e-aa32-4801-bf9d-fa1cdd328e7a"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:51:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:51:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt732174834667a745014b536193c89f3dfd809ae01c6ce16a828bb1a7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-01T19:51:37+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:51:22Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://92b7ef0dbad18ab8f8b4ee5b453940c2df136ff536bcc87208c9c4fbb9d405c2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:37Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-01T19:51:37+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:37Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/d8427c6f-aff9-493b-a0c5-5af567036600",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "pyt732174834667a745014b53612903a4cf-deprecated-base-image-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "20723",
                "uid": "d8427c6f-aff9-493b-a0c5-5af567036600"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:51:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:51:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt732174834667a745014b536193234db45f2e5fb05007210353d2ea04-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\", \"digests\": [\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:51:46+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:51:21Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cf60fe87a01a6b40884328aa29a160c60dc79408fcdf16b1f55ad7c02819e3f5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:46Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\\\", \\\"digests\\\": [\\\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:51:46+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:37Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/750f9af0-0065-4abf-8791-d09e64595e7e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "pytadd660014ceb90d7e9cd34ed6527e728-coverity-availability-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "33019",
                "uid": "750f9af0-0065-4abf-8791-d09e64595e7e"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:04:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:04:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytadd660014ceb90d7e9cd34ede1b1afdbeaff3b2095e7b869d0e020de-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-01T20:04:01+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:51Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://307a46b3eb8e890b9966f72978713e92ac0df88b4e3b587c9e9c33c661244541",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:01Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-01T20:04:01+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/21538d73-f0a2-44ac-b5ad-3ebca7a934c3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "pytadd660014ceb90d7e9cd34ed6527e728-deprecated-base-image-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "33705",
                "uid": "21538d73-f0a2-44ac-b5ad-3ebca7a934c3"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:04:19Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:04:19Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytadd660014ceb90d7e9cd34ed31d3afcef8dbd4069553d14a7914144b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\", \"digests\": [\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:04:10+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:49Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2b687bc69d84c287728588c938521706feeb7dedb7ce44c4691563165e060737",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:10Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\\\", \\\"digests\\\": [\\\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:04:10+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-74c24bc410",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/8abd3fe2-0852-4d38-bdf3-e83e6088e683",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:07:11Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-co0335ee6cf8ed62a1cdc0e1208a76147f-prefetch-dependencies",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "36790",
                "uid": "8abd3fe2-0852-4d38-bdf3-e83e6088e683"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-32734df628"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-tpitzu"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:07:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:07:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-co0335ee6cf8ed62a1cd1cd7f514623f4d5a1c6ebc2d591a8450-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-01T20:07:11Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f93bda849832140b27c51b00618abe960047d0c53f7fafc5581b6e8d54d61cde",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:07:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:07:16Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-22165d3ed2",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/ed9d6623-4cc6-4c51-af90-1e1910089273",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:47:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-co732174834667a745014b53612903a4cf-prefetch-dependencies",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "17391",
                "uid": "ed9d6623-4cc6-4c51-af90-1e1910089273"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-7cf5030513"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ouibog"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:47:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:47:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-co732174834667a745012d1b332b86e935a2d56515946ba09574-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-01T19:47:21Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://78ed7bdd9ac283b9b6f993176c55f828725a35c90d13c6f25cbda782f67f8fb6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:47:31Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:47:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-879ed7b3a1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/a3f0eb2d-5b4d-41c9-a4ec-faae369c4e49",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:59:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-coadd660014ceb90d7e9cd34ed6527e728-prefetch-dependencies",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "29336",
                "uid": "a3f0eb2d-5b4d-41c9-a4ec-faae369c4e49"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-5e1d01096c"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-zxyydw"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:00:06Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:00:06Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-coadd660014ceb90d7e946ac3f913c72e1d8c8a2deafff450a4b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-01T19:59:55Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://db33a16d560bb343f46232a8cd875b36c0b6b96ce088c9540fcc108166f530b5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:00:05Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:58Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/97ed914c-e8a1-401e-ae79-a03a42ad0bb1",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-comp0335ee6cf8ed62a1cdc0e1208a76147f-rpms-signature-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "40938",
                "uid": "97ed914c-e8a1-401e-ae79-a03a42ad0bb1"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:12:37Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:12:37Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-comp0335ee6cf8ed62a150285a9aa7785696de565ec60c37468b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\", \"digests\": [\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:12:36+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:11:22Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://503765c0368cbad01373e6cb456736311d47858e9a099e3f1d6b6587a0ee88d1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:34Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:38Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e26986f4b23c972c702123e6a86cd55306de0000c3e74bd6883ff4adeb04bc21",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:36Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\\\", \\\"digests\\\": [\\\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:12:36+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:12:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/de9e650b-4249-429b-a814-8d70b8b1104c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-comp732174834667a745014b53612903a4cf-rpms-signature-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "21428",
                "uid": "de9e650b-4249-429b-a814-8d70b8b1104c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:52:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:52:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-comp732174834667a7453c6f1d2658de4f29580d7882b995f25a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\", \"digests\": [\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:52:33+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:51:25Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fd051ff3064ec341efc4c9876faa79c0afd2b0a44e5bca9ee0e308b72df60159",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:32Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://93c4da3f6de0b58e53ce0444cef0e89680ef29018e78d911724a5fda5afc8ae7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:33Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\\\", \\\"digests\\\": [\\\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:52:33+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:52:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/44023fd8-ac8b-4a2a-ab52-e2ab051236cd",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-compadd660014ceb90d7e9cd34ed6527e728-rpms-signature-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "34219",
                "uid": "44023fd8-ac8b-4a2a-ab52-e2ab051236cd"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:05:27Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:05:27Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compadd660014ceb90d785981c60346d7016ec8ee03d3659f218-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\", \"digests\": [\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:05:26+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:56Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5ff4301a575770cc5a328bf4892099660168c95880d7938326075b278637f3c1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://271b4152fd6e81f77d5952968cd27d17a7360de4535adf0a17ea55c3525e213a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:26Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\\\", \\\"digests\\\": [\\\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:05:26+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:05:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-74c24bc410",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/34a96b9d-328a-4dd6-8ebd-d4c561132815",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-compo0335ee6cf8ed62a1cdc0e1208a76147f-sast-unicode-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "40085",
                "uid": "34a96b9d-328a-4dd6-8ebd-d4c561132815"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-32734df628"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:11:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:11:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compo0335ee6cf8ed62a32e90d7a477c4f53d81fc3cf837e755a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:11:40+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:11:20Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://24273752101fcf275f98318f9c5d3ab40742ea2358721c5e92d0c311ada988f4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:40Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:11:40+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:38Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a7d2cc3421b2d9d866cdf67cbb32e94f53897bc6c54d321aec8ecc8efeaaec42",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:41Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:11:40+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-22165d3ed2",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/83c6ecff-5cc3-4f5f-b27c-efe0cf2176b3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-compo732174834667a745014b53612903a4cf-sast-unicode-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "20805",
                "uid": "83c6ecff-5cc3-4f5f-b27c-efe0cf2176b3"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-7cf5030513"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:51:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:51:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compo732174834667a74c886beeb0181adbe0c91745d0cd99855-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:51:42+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:51:24Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://61b1dfb7d0e57a7b984de7153f32cd6db2ad49f3261e447af22e4787ccc2a55f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:42Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:51:42+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c0daca1b258641f09273e2f92191b8024c3ac378e299931dfc119d8b324b9e59",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:44Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:51:42+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:43Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-879ed7b3a1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/492247af-d855-45a3-ba9c-48c22727d427",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-compoadd660014ceb90d7e9cd34ed6527e728-sast-unicode-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "34136",
                "uid": "492247af-d855-45a3-ba9c-48c22727d427"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-5e1d01096c"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:04:38Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:04:38Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compoadd660014ceb90d8be8a8bcc86f9716ce14fe8301ba9608-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:04:17+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:52Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a0305c3599673f8bf9ff9abf58379e0b2db212a64986f2e1d15f74bff0c4daf7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:17Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:04:17+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b76bfc971d2de99cbd04f2db7c38a53bb02350bd6ee102fed209fc11464443f5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:19Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:04:17+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:18Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/f145ceb8-7ee5-42cd-84c1-44aa653edfdb",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-apply-tags",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "33142",
                "uid": "f145ceb8-7ee5-42cd-84c1-44aa653edfdb"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:04:06Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:04:06Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-5kxfk-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-01T20:03:53Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f1fbc2ed1f278befe9332df1db5ab1fa83b3f6d745772816e3789b6ed315b155",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:05Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:04Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6",
                                "--digest",
                                "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-879ed7b3a1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/b8e87105-708a-4204-9081-533ba669657a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:00:06Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-build-container",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "31700",
                "uid": "b8e87105-708a-4204-9081-533ba669657a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-5e1d01096c"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-65e855d4716e06bcf5a542297b42d9a9-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:6caafdf223fbf4d06867655a44730456b11599dc1d7e16cb96f5339fb19c1a96"
                    }
                ],
                "startTime": "2026-07-01T20:00:06Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://809c6d254fec86fa83566da33ff7e3349f4f9ab4354a9bc9e075667b46b7e24f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:00:51Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:00:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d364c7dacaa339af5f8f33a5942927838b467c8b5597181056a1cd5b436438bc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:01:47Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:00:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://daa61bab2ab15b60f7ce4fe8071aed1edeae6ebb648597dffc8f7bb67cd9e216",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:02:18Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:01:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://27e3a69bba7ddbf22f698bc7166a45faf1ff0fb3957f7a7c31dadf7fdbb3bfcb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:02:49Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:02:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://da14d3cba3a9ac00de59c98d2cbf1bc345d261bc3e08e4312a21c20381997e15",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:30Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:6caafdf223fbf4d06867655a44730456b11599dc1d7e16cb96f5339fb19c1a96\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:02:50Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-9p2jjw-on-pull-request-5kxfk-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/e9abcb10-09fb-49bb-9a6c-c16e9a64fc01",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:32Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-build-image-index",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "31992",
                "uid": "e9abcb10-09fb-49bb-9a6c-c16e9a64fc01"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:03:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:03:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-ba8e1648a2ee6212536a2b890cb6c93e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    }
                ],
                "startTime": "2026-07-01T20:03:32Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ebedcada083e0515561fbaa0b16322a1faed3527873acfbcd618c0cdcbde7247",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:43Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4c6f850cc7614b67ff7f93b4143f81e152cafb70e48e02581c37c77d842c587c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:44Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4aedb101bbb79fab222279efbe0cc2a7e008dfaf8406bfd18417317f5a00f22d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:03:47Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:03:44Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "eaf5145465afd89b8a597b830707cb4caa58ced6"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6@sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-9p2jjw-on-pull-request-5kxfk-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-9p2jjw-on-pull-request-5kxfk-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/df4980d3-b0d0-4c1b-b8c5-c6500c1b8826",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-clair-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "34925",
                "uid": "df4980d3-b0d0-4c1b-b8c5-c6500c1b8826"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:05:58Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:05:58Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-5kxfk-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\", \"digests\": [\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\":\"sha256:de69287e678e48df1c92328082cc2c38a202d2027331aa6e0d418b317d3788a3\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:05:57+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:49Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://890b7dd08a843c71e8f4be2e4809198309767c98ed60bfefa504deae2ce5cf00",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:07Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://80f96eebd59a587f408fb58afb7882a432d6a632deade83da8634464f586053e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:19Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://63605491b24c9847a6dfdb85d83e5426088b90dbeb4b711a9aad46e11360ac78",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:05:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://58418119893dbafaa63fe055b8acea28cedb7838a5c11a92aa957a6da9c05d0d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:57Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\\\", \\\"digests\\\": [\\\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\\\":\\\"sha256:de69287e678e48df1c92328082cc2c38a202d2027331aa6e0d418b317d3788a3\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:05:57+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:05:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/941f8ddc-7ed7-4c26-9109-07ce0ff06707",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-clamav-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "34111",
                "uid": "941f8ddc-7ed7-4c26-9109-07ce0ff06707"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:05:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:05:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-5kxfk-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\", \"digests\": [\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782936318\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:51Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:2da6c1a37fef998b68b675505fb654b1123e3cd889c190c59b4527d11621e8fc",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://770c4a64e431ad1952c6838fc1affcf3ab638bf4ac59778d114511786e6b5329",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:18Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\\\", \\\"digests\\\": [\\\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782936318\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7d6318374d107b19d1b0ba4e2b60b74150cf575decdea5cca2fc1586dc2ac3c1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:23Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\\\", \\\"digests\\\": [\\\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782936318\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:05:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-879ed7b3a1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/be501990-a811-483f-b6d7-f7710bf324d4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:59:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-clone-repository",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "29264",
                "uid": "be501990-a811-483f-b6d7-f7710bf324d4"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "eaf5145465afd89b8a597b830707cb4caa58ced6"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-5e1d01096c"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-zxyydw"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:59:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:59:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-b78149de92829d4dc868ab91a33091c8-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782935942"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "eaf5145"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-01T19:59:42Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://459ffb5489a960358104219e527cdb60ffce29c0e13a58262240a61087d10485",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:47Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935942\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"eaf5145\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bdf0e8a35acd440eeab566bca1f4e3416d95e39476b836ad16884e7aa492e053",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:48Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935942\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"eaf5145\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:48Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/3af44ad2-a346-4823-83c4-5135121394b5",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:59:34Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-init",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "29011",
                "uid": "3af44ad2-a346-4823-83c4-5135121394b5"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:59:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:59:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-5kxfk-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-01T19:59:34Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1e532e44254faff4986dd4338239993ea12a9ff33ff7fe3fbc7d83d87e02d67f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:38Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:37Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-879ed7b3a1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/affeed86-fee6-4b41-877a-8068765c01de",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-push-dockerfile",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "34205",
                "uid": "affeed86-fee6-4b41-877a-8068765c01de"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-5e1d01096c"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:04:40Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:04:40Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-05f968ee66d9353bbb077079ce4456ea-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:84a2d228c00b35837cf8221cbdafd791fbaddbb483859211e4a838709ce4f098"
                    }
                ],
                "startTime": "2026-07-01T20:03:54Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2b6652cbc6325ac5629adc05ec3fce5915241c1221cdfab3e99ddd37aa97a11a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:17Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:84a2d228c00b35837cf8221cbdafd791fbaddbb483859211e4a838709ce4f098\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:16Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6",
                                "--image-digest",
                                "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-879ed7b3a1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/be839e19-21ab-4e41-af8e-01f2904077df",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-sast-shell-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "34126",
                "uid": "be839e19-21ab-4e41-af8e-01f2904077df"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-5e1d01096c"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:04:40Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:04:40Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-ef228b3a6616981fa17206161e5ec6ee-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:04:16+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:52Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6b6d64898e3ef416d4cdbf2508686a7b0a4ad1ff0312a0c809af0b606d8a9c15",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:17Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:04:16+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e3f337b056cf696311500f5a296639f7d3907524ec8fa425729b666c64c93107",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:18Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:04:16+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:17Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-879ed7b3a1",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/bb11e59d-481d-404f-aa2a-555807e48418",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-5kxfk-sast-snyk-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "32975",
                "uid": "bb11e59d-481d-404f-aa2a-555807e48418"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-5e1d01096c"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:04:06Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:04:06Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-58cd78ab50cfe4004d0693891bd823dc-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-01T20:04:05+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:03:50Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7f2ee21f521ab5cde9f41a0a212d3c894f65b17a3c87cdaf8ecb6d7ae9095796",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:05Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T20:04:05+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://be627c3d5ff431dcc299b1538bad5fc061f1ae91079276b437898a60391397c5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:05Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T20:04:05+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:05Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/7559dc8a-6f3a-49af-a432-ef117fed65cc",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-apply-tags",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "39938",
                "uid": "7559dc8a-6f3a-49af-a432-ef117fed65cc"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:11:36Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:11:36Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-srs4j-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-01T20:11:21Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d457a140800042141e6843ed13bde44e5fc192c3ba2ae5e593118e7309db3ac8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:36Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1",
                                "--digest",
                                "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-74c24bc410",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/8babfda5-df5a-4339-995f-109db8f10e10",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:07:23Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-build-container",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "39163",
                "uid": "8babfda5-df5a-4339-995f-109db8f10e10"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-32734df628"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:10:49Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:10:49Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-3045b8cdf4237e061b6dd54406d1896f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:a1d155a7c5a8780294f59619f42e3661767e0b94706adb0507631323d63db523"
                    }
                ],
                "startTime": "2026-07-01T20:07:24Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://61868ba2b7a7b46038b39ea04f4b3687d1fec90efb048fd7482d562888f532be",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:08:15Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:07:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ee07cc85d2652aed8895f98561ce97c4fc63b702e913724026d1609f1f21ab78",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:09:05Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:08:15Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c4495b970f6460f86b3045ba3d02e82ac844141f8773c6bcfff4390021edea19",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:09:36Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:09:05Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d8f66f5c6216df02699ecee4f46835cb04f48cd87b4818c69f7eabd9fe8e04e0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:10:10Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:09:36Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://31038e626e3552b0ab40898f9328e3809fbf3cdac8cd45e6020ef31471d4352a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:10:49Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:a1d155a7c5a8780294f59619f42e3661767e0b94706adb0507631323d63db523\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:10:10Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-9p2jjw-on-pull-request-srs4j-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/062e07f9-073d-44ba-9bfe-67fddafe458a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:10:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-build-image-index",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "39486",
                "uid": "062e07f9-073d-44ba-9bfe-67fddafe458a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:11:17Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:11:17Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-32a757e13583d2a47840c9526d03ecba-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    }
                ],
                "startTime": "2026-07-01T20:10:50Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c9f7947f3aa84856801426decbe95a071365da4f7d008a750f6b56fb17a65da8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:04Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:10:59Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c4fb93edd4a906ec451680b83da6996cebc773bb78fa4a076927847e101071e1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:04Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6376f7a341502a17cb509cc2577858a131dc8c01c0580c116d915e37b6b106bd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:09Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:04Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "100d294565b847cca92e0c65101c1f8daf75abd1"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1@sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-9p2jjw-on-pull-request-srs4j-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-9p2jjw-on-pull-request-srs4j-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/e7c45bf1-7606-49e5-a5aa-48809c7f9410",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-clair-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "41694",
                "uid": "e7c45bf1-7606-49e5-a5aa-48809c7f9410"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:13:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:13:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-srs4j-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\", \"digests\": [\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\":\"sha256:87df579b8c893b3ea399379d1edfd40e0a0cff75fd603e22b7cb4978ec9b4600\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:13:02+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:11:18Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://27ee2f9e97040332ed75b47c925bbcd63b5905bc90ccc127746d64712f860008",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:38Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f62f6c865c4cdbed0c1998a8ac0c2ec1eddc91740e9d6242a20e36667350cfd9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:45Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d335bc1d6bf76dd99e6be38b502fd7c680eed8e469f867531b471641139038ca",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:26Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:12:23Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3b091bacde521e0014f1026e33ba529a2f2b461ccbbf8ced10cc175ba12d51d9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:13:02Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\\\", \\\"digests\\\": [\\\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\\\":\\\"sha256:87df579b8c893b3ea399379d1edfd40e0a0cff75fd603e22b7cb4978ec9b4600\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:13:02+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:12:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/bb0ad36b-ad28-4d03-8488-88ca1940ec0e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-clamav-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "41180",
                "uid": "bb0ad36b-ad28-4d03-8488-88ca1940ec0e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:12:52Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:12:52Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-srs4j-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\", \"digests\": [\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782936768\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-01T20:11:19Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:2da6c1a37fef998b68b675505fb654b1123e3cd889c190c59b4527d11621e8fc",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2bad29053d43f09ff0a2c2778712bb21e0c758ad44b811030e020990a008176a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:48Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\\\", \\\"digests\\\": [\\\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782936768\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4586afdf9ffdd21b9e927494cf3a82df4b617289919cad5b6af9ed02542fe545",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:51Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\\\", \\\"digests\\\": [\\\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782936768\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:12:48Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-74c24bc410",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/e691dfa6-142c-4b35-a666-5273dc1a4db6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:07:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-clone-repository",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "36703",
                "uid": "e691dfa6-142c-4b35-a666-5273dc1a4db6"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "100d294565b847cca92e0c65101c1f8daf75abd1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-32734df628"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-tpitzu"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:07:06Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:07:06Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-0e9acbead8dea9a22851cd97e09a1760-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782936386"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "100d294"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-01T20:07:00Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4e6a8904ebf8dacc8108475569255fe38f534f03c06ceb0e4431096054174e90",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:07:05Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782936386\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"100d294\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:07:05Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e845c5871f62e7c513923405f947d0afff489d67a5bd7b6adf3e574799740464",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:07:06Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782936386\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"100d294\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:07:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/dc5ef0b7-7f19-4455-8b27-b1196a8f5427",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:06:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-init",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "36675",
                "uid": "dc5ef0b7-7f19-4455-8b27-b1196a8f5427"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:06:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:06:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-srs4j-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-01T20:06:50Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://26e30e89f3c90cf61da4230db6c9b51a6c790998231fb5a0531dbb0649baf88e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:06:54Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:06:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-74c24bc410",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/777456b6-b6d8-4729-9a64-83878450d162",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-push-dockerfile",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "40102",
                "uid": "777456b6-b6d8-4729-9a64-83878450d162"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-32734df628"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:11:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:11:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-907bcf75943198a3ea76456538c9a80b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:c97972e52d528d9f869e37d2362f0019266fe194bd71e831d4cd175fe84afcd7"
                    }
                ],
                "startTime": "2026-07-01T20:11:21Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f5ab0c2e58079f3f29d8328217f357fa8918cd9ba58784a2aaea57fc2e80a426",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:39Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:c97972e52d528d9f869e37d2362f0019266fe194bd71e831d4cd175fe84afcd7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:38Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1",
                                "--image-digest",
                                "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-74c24bc410",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/278ded41-5635-41cf-8625-9facb716061b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-sast-shell-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "40075",
                "uid": "278ded41-5635-41cf-8625-9facb716061b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-32734df628"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:11:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:11:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-f8b44175f38c3c403bb01e6d38008b6d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T20:11:40+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:11:20Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e9035ef9f941cdf6f22b47649b90b60299bd9473536f6cea8e793a572dfe981b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:40Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:11:40+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c767af2b201ebb35535a9c736b007057cb33285ebaa2ff03a2fe797175652794",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:42Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T20:11:40+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-74c24bc410",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/6817db70-3e04-41b6-9041-e44743c0f94a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull-request-srs4j-sast-snyk-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "40063",
                "uid": "6817db70-3e04-41b6-9041-e44743c0f94a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-32734df628"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:11:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:11:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-4e24871e69b492e97329a83d51f30992-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-01T20:11:40+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T20:11:18Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0021f12dd9c274b653ac589c3528ba8105b08d8a20c437cc361cb29349f443d0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:40Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T20:11:40+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:38Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3005c5cd81647d49114893b16dd81f891bd317a613bb57a320d5f3e35794c358",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:40Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T20:11:40+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:40Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/0f02ad30-c0fe-4d7b-9803-2e9e93374324",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-apply-tags",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "20623",
                "uid": "0f02ad30-c0fe-4d7b-9803-2e9e93374324"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:51:38Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:51:38Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-sth6c-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-01T19:51:24Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://247d7e02938b8d7e3e54e35efb2b4e97e52b0c5b8ff4b3e2bf6ed936230e40bb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:36Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                                "--digest",
                                "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-22165d3ed2",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/3d68c388-2e19-408a-a4a5-add9bcb4845f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:47:33Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-build-container",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "19849",
                "uid": "3d68c388-2e19-408a-a4a5-add9bcb4845f"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-7cf5030513"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:50:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:50:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-7ddcd82ae031458994c7a22b1d9a3a12-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:8fbb43ff801661d301d1b25294f934c80240779fae386fcb9d9f691ae625f65d"
                    }
                ],
                "startTime": "2026-07-01T19:47:34Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d88e2716d2fd3170b3a36afb3c1b2f9ae53c6153ac3d8e92d9f0af9a95e525b5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:48:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:47:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8cc6ba2915754c602458e62b6e1ea1c93851de4e4d5fa16464cbb409d076e5d8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:49:12Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:48:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://57aabea2dbb9b3a8574fff8437fe51f50c0a2e8b594f1baa370075851a6cfe6a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:49:44Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:49:13Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3a5df9bcd23c7d0bbe68ae67278a0c117a53c0c1307e8fe2e6b1a7ec87f66587",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:50:15Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:49:45Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1daf94ef39d30f45691e9fd4337952052c3680bdbcd1846edb6f7a87830e7b9c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:50:53Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:8fbb43ff801661d301d1b25294f934c80240779fae386fcb9d9f691ae625f65d\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:50:16Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-9p2jjw-on-pull-request-sth6c-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/c7dfcdc8-a94b-4b6d-a2c0-0b15ed95a5ad",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:50:55Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-build-image-index",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "20217",
                "uid": "c7dfcdc8-a94b-4b6d-a2c0-0b15ed95a5ad"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:51:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:51:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-b4a6aa967f3233df34615a2eff244123-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    }
                ],
                "startTime": "2026-07-01T19:50:55Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3af9e386caff62460e6f456dc74388be20f005af22657c91a74ca0d797983932",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:07Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a7bb0f2aeaa2f72b1301f0849b30c1b1629ffa55dc59f26a2852cfda1d3bc2a7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:09Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:07Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d5468713b6a8a300c7ca9aa3a84c96428fde2f09012bf70aea4f4602a72e879e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:13Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936@sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-9p2jjw-on-pull-request-sth6c-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-9p2jjw-on-pull-request-sth6c-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/1e18f722-6073-49ce-a83a-597defe93579",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-clair-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "21862",
                "uid": "1e18f722-6073-49ce-a83a-597defe93579"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:53:04Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:53:04Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-sth6c-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\", \"digests\": [\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\":\"sha256:77fd72979c4ee2b475d2a4668a5e29e8a2ea930b19ebe43b8543e54baf0505d7\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:53:03+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:51:21Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://79623c3d2f2da1fd21af73f86a2f782756c54ec1924af240ea189518b95af98e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:47Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3a5a7765f8f9356792bacab02fe4083598dccb55b74f77e651829399eda34c9c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:47Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7b95b8bc81076180636e80bea6c5f601153919abe4a31cd6cbc8662584ce4bd4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:28Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:52:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a0ba9453974be9da265a268381e3537ec19d7e567f759e26beb1f9a72dc14ace",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:53:03Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\\\", \\\"digests\\\": [\\\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\\\":\\\"sha256:77fd72979c4ee2b475d2a4668a5e29e8a2ea930b19ebe43b8543e54baf0505d7\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:53:03+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:52:29Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/1c6f7f15-df0f-45a4-b6c4-36e933badbb8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-clamav-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "21546",
                "uid": "1c6f7f15-df0f-45a4-b6c4-36e933badbb8"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:52:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:52:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-sth6c-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\", \"digests\": [\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782935573\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-01T19:51:22Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:2da6c1a37fef998b68b675505fb654b1123e3cd889c190c59b4527d11621e8fc",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://61e635630bec90d74d8cec3faa4d76efc9c3b50adb7de7b878facbbad9fdc118",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:53Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\\\", \\\"digests\\\": [\\\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782935573\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f25ee9c58c2b47be83bbb88ea26607a301f47597dd0ead1cc35fba60ec256840",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:56Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\\\", \\\"digests\\\": [\\\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782935573\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:52:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-22165d3ed2",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/a9725361-21a3-4c73-b0ff-154489598434",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:47:12Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-clone-repository",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "17250",
                "uid": "a9725361-21a3-4c73-b0ff-154489598434"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-7cf5030513"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ouibog"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:47:19Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:47:19Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-9af4b9e105cfbdf0a543757ce80b9692-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782935199"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "a3694f0"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-01T19:47:12Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://577f33bbf0a9b013a850feaa38714434c410e6b2e09fa5809b1608591be6c44b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:47:17Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935199\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a3694f0\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:47:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://22dbe30cc21f2f49bec9f4b1d25460d53d17178de71d3604b3ff0c86e08e8924",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:47:18Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935199\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"a3694f0\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:47:18Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/2c4c4305-2a54-4f24-87ae-60d4a535c59d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:47:05Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-init",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "17086",
                "uid": "2c4c4305-2a54-4f24-87ae-60d4a535c59d"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:47:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:47:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-pull-request-sth6c-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-01T19:47:05Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1cbb6f8c775737f8ba197ec00f2feb793dd0574d10f1d43e894d49fe97ba511a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:47:08Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:47:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-22165d3ed2",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/9f43d829-e99d-4074-8038-aafe1519a3ae",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-push-dockerfile",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "20671",
                "uid": "9f43d829-e99d-4074-8038-aafe1519a3ae"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-7cf5030513"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:51:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:51:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-f03b91dd698a1fa1c3682f143ab95327-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:d20e5a0849afe4d024ecbcdb42894dee4dd5139b13a05eab73786bbe7b67de72"
                    }
                ],
                "startTime": "2026-07-01T19:51:24Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://331c587a3b19abc478bde71652212d832568c034ae1307fc8071a4db2411e57d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:41Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:d20e5a0849afe4d024ecbcdb42894dee4dd5139b13a05eab73786bbe7b67de72\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:39Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                                "--image-digest",
                                "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-22165d3ed2",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/91d64502-8117-4f6b-8c76-654e6f95e669",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-sast-shell-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "20803",
                "uid": "91d64502-8117-4f6b-8c76-654e6f95e669"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-7cf5030513"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:51:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:51:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-11596c745af96addf12389bde3f929e2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:51:42+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:51:23Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3b68d9bd6f816457622e01774d2c57fd8bee76b9401e5a2cf58672e913e24313",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:42Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:51:42+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://278b9fbd50d89c9329029e4a81936ce1b6a60a903ed33e6cd806535e589f4674",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:44Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:51:42+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:43Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-22165d3ed2",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/9fb0753a-a3d1-406d-83d5-da3ae492cad3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pull-request-sth6c-sast-snyk-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "20768",
                "uid": "9fb0753a-a3d1-406d-83d5-da3ae492cad3"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-7cf5030513"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:51:43Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:51:43Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-ca871485c7cc4d7a28e6a3ff3d1fe81c-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-01T19:51:42+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:51:21Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://59e355a31e5a9168a88acc338c8047f292f9cc27e6a1e9cec2281820f19e6da2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:42Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T19:51:42+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f865e82764330271d90256d4793c847154c17202d41fe7c063ee29c22e650d11",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:43Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T19:51:42+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:43Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/commit_sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyydw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-5kxfk",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b/records/b12d68fb-9007-47d3-8e63-76a49e8ace68",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"eaf5145465afd89b8a597b830707cb4caa58ced6\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-oy4t5e-on-pull-request-s8dmv is running for component go-component-oy4t5e, waiting for it to create a new group Snapshot for PR group pr-branch-b5o23l",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:03:49Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84624981507",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "eaf5145465afd89b8a597b830707cb4caa58ced6",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-5kxfk",
                    "tekton.dev/pipelineRunUID": "32947213-94bc-4e25-acf5-b3c61ebf2e8b",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pull6f6d8106b39796510f9b4202fb60e8de",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-5kxfk",
                        "uid": "32947213-94bc-4e25-acf5-b3c61ebf2e8b"
                    }
                ],
                "resourceVersion": "34008",
                "uid": "b12d68fb-9007-47d3-8e63-76a49e8ace68"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:05:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:05:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-856885200c7fdd805e2d881503cae6ba-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\", \"digests\": [\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936322\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:03:50Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://2265e1da7f75f522ad09d9f3fac6fa72f992a1982dc1be4c5d6d3b3ad239c316",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:04Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://7dc82ce09adc0d6c6834d4a71e2c7dd667e131b1c4f43ef13296f1dcc28c70cd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:04Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://85a8db4eeb49f710be46652900aa3a21d8e5b11505d03b8402c988da43ea1b22",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:04:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:04Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f8bda9b2f4e05703874e9a615e4d538950be1cad8344b7cb5449611481a6bd57",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:04:05Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\", \"digests\": [\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936322\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://d90e2188c0d056235a4f1cd0ef8de25a1d8c5a476be056fb1f0a25d7c3f2b48e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:22Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6\\\", \\\"digests\\\": [\\\"sha256:abce45d3cc2277ee6ad09f12c0347ab791651df9eaba1306d4ab16bcb35609ab\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782936322\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:05:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936322\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://38f5ed19ef5b1456b2ef51ec75aaf79e424888a986a2d67aefa4b800b6721e34",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:05:23Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782936322\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:05:23Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-eaf5145465afd89b8a597b830707cb4caa58ced6"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/commit_sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "build.appstudio.redhat.com/pull_request_number": "22761",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-tpitzu",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-srs4j",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-b5o23l",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6/records/a7fba6fe-b128-4298-a8b0-8f7c239b8b67",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"100d294565b847cca92e0c65101c1f8daf75abd1\",\"eventType\":\"pull_request\",\"pull_request-id\":22761}",
                    "results.tekton.dev/result": "group-5ld1/results/fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-b5o23l",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T20:11:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84626355554",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22761",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "100d294565b847cca92e0c65101c1f8daf75abd1",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-srs4j",
                    "tekton.dev/pipelineRunUID": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "4c491eef483dc8dfedc589c8d5494d7af3938f5912e7d8022a5362ef9ec2ac"
                },
                "name": "python-component-9p2jjw-on-pullaf62b9005b0125674b8943b513b2a6b6",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-srs4j",
                        "uid": "fad61d95-d54f-4bab-82e7-29a68ee3c9f6"
                    }
                ],
                "resourceVersion": "41226",
                "uid": "a7fba6fe-b128-4298-a8b0-8f7c239b8b67"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T20:12:52Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T20:12:52Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-c3f0be6fd1e5ad5faa45e78bfd677401-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\", \"digests\": [\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936770\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T20:11:18Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1f3aa110fd1be62a39a477d922450159d4660e680f0441ac59982af79561e5fd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:40Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://fc2360f3da850218c189108333b84e6d058ef8e97f46de280ca7446249a7a5c6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:41Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5e46a9ba94585cd4d238d38762ec2622f49f9f52dcac124729756c6942463c7a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:11:41Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:41Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8bb9d3163a2c7ed1dd037d54a709cf6c6ee2f1a29cdeb09e05e6245c803e2dce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:49Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:11:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\", \"digests\": [\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936770\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://9ddb6e9ecfe0c5ad174aa5a171ef72a3326120d28b85f7587f5d86674aef4ac4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:50Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1\\\", \\\"digests\\\": [\\\"sha256:46c4f51b8ae44f70ec6d34f1ef47f04d42d48478a46093227f8cfb1e449238c2\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782936770\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:12:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782936770\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://2358411880fe537bc5cef8805a02ce3c556e363d4b037634c17c7cd9e97ab0bf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T20:12:51Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782936770\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T20:12:51Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-100d294565b847cca92e0c65101c1f8daf75abd1"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/commit_sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "build.appstudio.redhat.com/pull_request_number": "22760",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ouibog",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-pull-request-sth6c",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516/records/3916b950-271e-4793-95f0-973574145b7e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"a3694f062f4848eb46e4fb65d1ff2c44a42c9936\",\"eventType\":\"pull_request\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-9p2jjw",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-01T19:51:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84622758376",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "a3694f062f4848eb46e4fb65d1ff2c44a42c9936",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-pull-request-sth6c",
                    "tekton.dev/pipelineRunUID": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "16138e89992e306dd1eeb294e0e873d41676907ab34d46211eba994ac5654f"
                },
                "name": "python-component-9p2jjw-on-pullcb7dec189c6b8093b620f75428030ca7",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-pull-request-sth6c",
                        "uid": "6c5a8997-5ff4-4e8d-ae1a-a190d71f3516"
                    }
                ],
                "resourceVersion": "21544",
                "uid": "3916b950-271e-4793-95f0-973574145b7e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:52:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:52:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-e67550af823ef50e1c74790cc90824e7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\", \"digests\": [\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935573\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T19:51:21Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://954facaa4dc18d49b18e7093728dd8a9c2fba3f96a2c23e5c82735ce0e6b4c3d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:41Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1391525663e9b94ba921ff2ca75add33724f18bcedf5d8d46f8dfae9aef964ac",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:42Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://33745c23ca8e14ba6cd66a0879bae4853412568456d7192dc11b660388365685",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:51:43Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:43Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5b3b40bf7e603a034c9117362e1786a2eddc9b24e27f252d44210893fc9bf566",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:51:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\", \"digests\": [\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935573\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://63e5085387e1b9fa8a644fa0572fda2d657ebefc5831398e8812cdbf3c5ac598",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:53Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936\\\", \\\"digests\\\": [\\\"sha256:2e5b978950ecb0f83eec05255e6eb0a7784442dd2d44a124150f45cdfd2cebff\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782935573\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:52:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935573\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://d856a698fb087dcb3b62d262cdc23bc79b2feca935174c3ed7f46dac81cbd6a6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:52:54Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782935573\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:52:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:on-pr-a3694f062f4848eb46e4fb65d1ff2c44a42c9936"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/2ad4aea5-95dc-48d1-bfdb-0df4b78cf75a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-apply-tags",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "26784",
                "uid": "2ad4aea5-95dc-48d1-bfdb-0df4b78cf75a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:17Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:17Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-01T19:58:02Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7b12a069c192624ead0f95ba96d9bbe7a984af73930a7b8ddaa5403312f742e9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:17Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:16Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                                "--digest",
                                "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ea0b29ebf5",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/9cbc9f31-4afe-47ac-82d2-c28f4f122927",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:54:32Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-build-container",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "26134",
                "uid": "9cbc9f31-4afe-47ac-82d2-c28f4f122927"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4268b38048"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:57:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:57:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-build-container-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:b63f711066dd189dc6ee6e6c3087e30522bcf777b024295553f079b884e69329"
                    }
                ],
                "startTime": "2026-07-01T19:54:32Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5b7db342da69b5dbbb51d64b11a78990656457568761c1402d77d7d4226c5947",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:55:09Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6f1f909fc8562f908c3c1714700444cbb2192f6d8e8a998aae5d5d58a1b7b4d3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:56:02Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:55:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://02b0f0ffe14978a5459edf81bc69902267c6bf2bf2e858ad56d562b6dfb7c97e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:56:34Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:56:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://21661edaa2f5611ee4b3f89064e87e15a5ed21ab5b677eaec00320c38fba310f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:05Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:56:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0c3d25c42f828c39c3ac311180009be451f5743efe62719a0d041b889382e149",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:45Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:b63f711066dd189dc6ee6e6c3087e30522bcf777b024295553f079b884e69329\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-9p2jjw-on-push-hrpzp-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/f764fdc3-ea98-4a1b-a6b8-412b62f5dd7b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:57:46Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-build-image-index",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "26141",
                "uid": "f764fdc3-ea98-4a1b-a6b8-412b62f5dd7b"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:00Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:00Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-build-image-index-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    }
                ],
                "startTime": "2026-07-01T19:57:46Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b55b4f6652608fc13c3dcc5acf601edd1f507de0e135f4eb90bb9d4a43f5da62",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:54Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:51Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1d91dc5bfd9c5baed1996458b616e1814a754709ad89bce2360462f874eb9659",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:55Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://98fbe4495b67df92ba054408872093fafb4d611b0d0777d3fa385f10eb097645",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:57:58Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:57:55Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018@sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-9p2jjw-on-push-hrpzp-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-9p2jjw-on-push-hrpzp-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/543b1f39-2f58-4c27-87f3-0128813d392d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-clair-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "28603",
                "uid": "543b1f39-2f58-4c27-87f3-0128813d392d"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:59:41Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:59:41Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\", \"digests\": [\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\":\"sha256:02c86c2b3b941cbd0a4609cebc98d82766e8011865f992c432d3f57df2b9c93f\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:59:40+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:58:00Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1f5837456d05a837b707ad233074fe7f2b996e8b28d5458b1d1789d6e1deb3ae",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:24Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2833959500a77adb033a50b24123c5e65d94fd5bc2e40dd8282246555c6db9be",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:03Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3e339ca0bdb36be591b97957536db02eb58fc0f2f16acfb77646b6ae10c0d790",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:06Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7f6073d34b798f47273b72194bf4f6d10e4be1d852275a71d57b8665efe56e94",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:40Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\\\", \\\"digests\\\": [\\\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\\\":\\\"sha256:02c86c2b3b941cbd0a4609cebc98d82766e8011865f992c432d3f57df2b9c93f\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:59:40+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/e57bce5d-27ac-4e32-8494-30ca5bb35415",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-clamav-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "28794",
                "uid": "e57bce5d-27ac-4e32-8494-30ca5bb35415"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:59:27Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:59:27Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\", \"digests\": [\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782935965\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-01T19:58:01Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:2da6c1a37fef998b68b675505fb654b1123e3cd889c190c59b4527d11621e8fc",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://939b966863ad60e672f9910820f1110a8541f4f180460def70c02b67a2ac8256",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:25Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\\\", \\\"digests\\\": [\\\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782935965\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4b0acfe5a3d4106c59a1b288c125aa04d36aab28b7c68c6eb123e879e3c47066",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:27Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\\\", \\\"digests\\\": [\\\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782935965\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ea0b29ebf5",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/8f80d72d-e7e6-4677-b62f-7a53d0a6e8f6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:54:09Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-clone-repository",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "23170",
                "uid": "8f80d72d-e7e6-4677-b62f-7a53d0a6e8f6"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4268b38048"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-zxdjzb"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:54:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:54:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-clone-repository-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782935605"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "87ceed9"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-01T19:54:09Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://125ba749a63226d20a88e11b77a6c13701268c6dffe612fca97d468d737f5f70",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:54:14Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935605\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"87ceed9\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://18f83d96f6263584c07f09470d012491b67cedfbd1facaba6d9bef4eb4780bef",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:54:15Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782935605\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"87ceed9\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:15Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/ec6a9bc2-10be-4707-82f3-f35eaaf8bf6b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:54:02Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-init",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "22836",
                "uid": "ec6a9bc2-10be-4707-82f3-f35eaaf8bf6b"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:54:07Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:54:07Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-01T19:54:03Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://20213da278f5d7b64b34c33d1215b762899f78524998a0a20397a0a457911007",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:54:07Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:06Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ea0b29ebf5",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/668e332f-b093-4963-b202-0b89ba70bf3f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:54:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-prefetch-dependencies",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "23394",
                "uid": "668e332f-b093-4963-b202-0b89ba70bf3f"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4268b38048"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-zxdjzb"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:54:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:54:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-prefetch-dependencies-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-01T19:54:18Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ebd99d35c6b14f79fdc5cc4cea71d37b7692534c169445971c2441f759326a10",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:54:29Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:54:24Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ea0b29ebf5",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/5d6eb312-b42f-4414-aee0-4839974df4c0",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-push-dockerfile",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "26762",
                "uid": "5d6eb312-b42f-4414-aee0-4839974df4c0"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4268b38048"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:18Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:18Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-push-dockerfile-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:691f221965c860cdecf7053070222e2245f125e69f7c6ebc54c952a8963cf2e0"
                    }
                ],
                "startTime": "2026-07-01T19:58:03Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://50a667944a3cdd6e2e66ec9a6818956e467dbda808972b0810940530aca40b7e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:18Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw@sha256:691f221965c860cdecf7053070222e2245f125e69f7c6ebc54c952a8963cf2e0\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:17Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                                "--image-digest",
                                "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/d2587ca5-8a11-4828-a806-39181184a5ab",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-rpms-signature-scan",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "28265",
                "uid": "d2587ca5-8a11-4828-a806-39181184a5ab"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:59:14Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:59:14Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-rpms-signature-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\", \"digests\": [\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:59:13+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:58:04Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fff220d009b4778fbd3414e6abb5fe09396bcdc028f6b09f7f910cd9f7432b91",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:13Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ac37b921bc9be89b1d078073b1a907ed10c360fbe8d73ecbe06fa3ddd7f867dc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:14Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\\\", \\\"digests\\\": [\\\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:59:13+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:13Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ea0b29ebf5",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/c3e1e975-e821-45c6-a334-be2faa576af9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-sast-shell-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "26653",
                "uid": "c3e1e975-e821-45c6-a334-be2faa576af9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4268b38048"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-sast-shell-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:58:19+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:58:02Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7962b8366375437a2fc43c6d367286a78f2f353ee088a12a730a162786042c46",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:19Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:19+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c47627d301f605941e9a35423ea7369e6f9b3a57b2416ca89ae9118e0b452fcc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:19+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:20Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ea0b29ebf5",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/3be4e3ed-c60a-4fb8-ba00-7667ce094d50",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-sast-snyk-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "27565",
                "uid": "3be4e3ed-c60a-4fb8-ba00-7667ce094d50"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4268b38048"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-sast-snyk-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-01T19:58:19+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:58:00Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://026bc4b5f0b3cf2c37a034911406bcc6819f7cff0eab5d5152bde74f6a424953",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:19Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:19+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://317acc3403fcb1285ae51b3dff8c84c58118c08285e9ddd5a75ceb2018c5e665",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:20Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:19+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:20Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-ea0b29ebf5",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/b319f54c-3dab-46b9-a12e-e50d410ca974",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check"
                },
                "name": "python-component-9p2jjw-on-push-hrpzp-sast-unicode-check",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "26652",
                "uid": "b319f54c-3dab-46b9-a12e-e50d410ca974"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-4268b38048"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:58:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:58:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-push-hrpzp-sast-unicode-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-01T19:58:20+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-01T19:58:02Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://572012bf76abe09fb1c8097e53fe4ad8f4bb7de159cb320795a8ca0e2e62a46b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:20Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f9a33d78bc5fb7c1fb359fcaba45c87335621a4c364c87495a28eee00f7d5403",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-01T19:58:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:20Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/commit_sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-6m9e0w",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxdjzb",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://100.48.158.92:9443/ns/group-5ld1/pipelinerun/python-component-9p2jjw-on-push-hrpzp",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-6m9e0w\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-9p2jjw-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22760 from redhat-appstudio-qe/konflux-python-component-9p2jjw\n\nkonflux-ci e2e-tests update python-component-9p2jjw",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-6m9e0w",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786/records/af64b8fb-5625-4468-a282-c19eb9d489f1",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"87ceed9b65f8f4fb160ed3ed7838dad03e845018\",\"eventType\":\"push\",\"pull_request-id\":22760}",
                    "results.tekton.dev/result": "group-5ld1/results/d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-01T19:58:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-2umy",
                    "appstudio.openshift.io/component": "python-component-9p2jjw",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84623979675",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-9p2jjw-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22760",
                    "pipelinesascode.tekton.dev/repository": "go-component-oy4t5e",
                    "pipelinesascode.tekton.dev/sha": "87ceed9b65f8f4fb160ed3ed7838dad03e845018",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRun": "python-component-9p2jjw-on-push-hrpzp",
                    "tekton.dev/pipelineRunUID": "d21d1710-ff8a-4328-95b8-bf6bf3d51786",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks"
                },
                "name": "python-component-9p2jjw-on-pusha227504a4d40cfb2390c5a0413aa6f78",
                "namespace": "group-5ld1",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-9p2jjw-on-push-hrpzp",
                        "uid": "d21d1710-ff8a-4328-95b8-bf6bf3d51786"
                    }
                ],
                "resourceVersion": "28881",
                "uid": "af64b8fb-5625-4468-a282-c19eb9d489f1"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-9p2jjw",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-01T19:59:27Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-01T19:59:27Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-9p2jjw-on-2996c5659d4682d102fafed5773fcf98-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\", \"digests\": [\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935966\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-01T19:58:00Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://875ede40189210bfd029611dd5a7999f398e5bf49ac054fe144bcd76abd43f9c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:19Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1ac92a1986e216e3ddef85e0e07e373bc3588bedfeee011c1de9f181e7d43165",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:19Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6e78be5e751097bd90fd416674a071209ae45ec20b760018ededab00060b160b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:58:20Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:20Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d6f7c2b8ac5ceed668824f60d6def0eaf33a4cd887fc4701c7a4d5cb2dd41f02",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:58:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\", \"digests\": [\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935966\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://bd41cb0a205fc449f5e83994995369a88841154feb696216c6329c3647387e1b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:26Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018\\\", \\\"digests\\\": [\\\"sha256:a864ea30d7823fa9104f94b997cf6ee36d53a4379b05840e6c9ed2a39f87c5cd\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782935966\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782935966\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://adf1b93cdecd75ff7b7d2a4614ab2506241f1bf9bc3490e68c12badaffd07b77",
                            "exitCode": 0,
                            "finishedAt": "2026-07-01T19:59:27Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782935966\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-01T19:59:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-5ld1/python-component-9p2jjw:87ceed9b65f8f4fb160ed3ed7838dad03e845018"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}
