{
    "apiVersion": "v1",
    "items": [
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-gitlab-k2hpmc",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "Merge Request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-nodqgv",
                    "pac.test.appstudio.openshift.io/git-provider": "gitlab",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/source-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/target-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/97c7d428-0994-48a7-99da-7c92ccded39c/records/c1ca3396-34be-40ad-9731-be27336d68e7",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/97c7d428-0994-48a7-99da-7c92ccded39c",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782995999000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/result-chains-git-commit": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-gxeh\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521530606Z\",\"details\":\"Pending\"},{\"scenario\":\"integration-test-z0nu\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521528652Z\",\"details\":\"Pending\"}]"
                },
                "creationTimestamp": "2026-07-02T12:44:16Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:58Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "appstudio.openshift.io/snapshot": "integ-app-evo0-20260702-123959-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "Merge_Request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-gxeh-9mct8",
                    "tekton.dev/pipelineRunUID": "97c7d428-0994-48a7-99da-7c92ccded39c",
                    "tekton.dev/pipelineTask": "task-fail",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782996252",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3",
                    "test.appstudio.openshift.io/run": "integration-test-z0nu",
                    "test.appstudio.openshift.io/scenario": "integration-test-gxeh",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-gxeh-9mct8-task-fail",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-gxeh-9mct8",
                        "uid": "97c7d428-0994-48a7-99da-7c92ccded39c"
                    }
                ],
                "resourceVersion": "68405",
                "uid": "c1ca3396-34be-40ad-9731-be27336d68e7"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "FAILURE"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:44:26Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:44:26Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-gxeh-9mct8-task-fail-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-02T12:44:25+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:44:17Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9d699bb446bad2df33561b757d850440805e590d96d66d243a810390a534c4ec",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:25Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-02T12:44:25+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:44:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT FAILURE --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-gitlab-k2hpmc",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "Merge Request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-nodqgv",
                    "pac.test.appstudio.openshift.io/git-provider": "gitlab",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/source-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/target-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/97c7d428-0994-48a7-99da-7c92ccded39c/records/c3db2367-86d8-4868-a632-c4e1eaefb71f",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/97c7d428-0994-48a7-99da-7c92ccded39c",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782995999000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/result-chains-git-commit": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-gxeh\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521530606Z\",\"details\":\"Pending\"},{\"scenario\":\"integration-test-z0nu\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521528652Z\",\"details\":\"Pending\"}]"
                },
                "creationTimestamp": "2026-07-02T12:44:16Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:58Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "appstudio.openshift.io/snapshot": "integ-app-evo0-20260702-123959-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "Merge_Request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-gxeh-9mct8",
                    "tekton.dev/pipelineRunUID": "97c7d428-0994-48a7-99da-7c92ccded39c",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782996252",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3",
                    "test.appstudio.openshift.io/run": "integration-test-z0nu",
                    "test.appstudio.openshift.io/scenario": "integration-test-gxeh",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-gxeh-9mct8-task-skipped",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-gxeh-9mct8",
                        "uid": "97c7d428-0994-48a7-99da-7c92ccded39c"
                    }
                ],
                "resourceVersion": "68404",
                "uid": "c3db2367-86d8-4868-a632-c4e1eaefb71f"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:44:26Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:44:26Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-gxeh-9mct8-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T12:44:25+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:44:18Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8405697c301d0183ded8b681a4b8de6eed7be73b768c098d1da9b0bca6f5a749",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:25Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:44:25+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:44:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-gitlab-k2hpmc",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "Merge Request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-nodqgv",
                    "pac.test.appstudio.openshift.io/git-provider": "gitlab",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/source-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/target-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/97c7d428-0994-48a7-99da-7c92ccded39c/records/9c4036e4-5a50-45e2-9cc9-2c5c035a708f",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/97c7d428-0994-48a7-99da-7c92ccded39c",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782995999000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/result-chains-git-commit": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-gxeh\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521530606Z\",\"details\":\"Pending\"},{\"scenario\":\"integration-test-z0nu\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521528652Z\",\"details\":\"Pending\"}]"
                },
                "creationTimestamp": "2026-07-02T12:44:16Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:58Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "appstudio.openshift.io/snapshot": "integ-app-evo0-20260702-123959-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "Merge_Request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-gxeh-9mct8",
                    "tekton.dev/pipelineRunUID": "97c7d428-0994-48a7-99da-7c92ccded39c",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782996252",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3",
                    "test.appstudio.openshift.io/run": "integration-test-z0nu",
                    "test.appstudio.openshift.io/scenario": "integration-test-gxeh",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-gxeh-9mct8-task-success",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-gxeh-9mct8",
                        "uid": "97c7d428-0994-48a7-99da-7c92ccded39c"
                    }
                ],
                "resourceVersion": "68408",
                "uid": "9c4036e4-5a50-45e2-9cc9-2c5c035a708f"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:44:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:44:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-gxeh-9mct8-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:44:24+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:44:16Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://85bab74baa399a2a067c2e3e75ad5501e81a17e24143527f06a6f2699ee5abee",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:24Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:44:24+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:44:24Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-gitlab-k2hpmc",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "Merge Request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-nodqgv",
                    "pac.test.appstudio.openshift.io/git-provider": "gitlab",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/source-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/target-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/07ebb67d-f973-4a93-989d-2dd8f60009b7/records/cbd548a8-1172-43f4-ba84-eb5d86cc8748",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/07ebb67d-f973-4a93-989d-2dd8f60009b7",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782995999000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/result-chains-git-commit": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-gxeh\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521530606Z\",\"details\":\"Pending\"},{\"scenario\":\"integration-test-z0nu\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521528652Z\",\"details\":\"Pending\"}]"
                },
                "creationTimestamp": "2026-07-02T12:44:16Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:55Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "appstudio.openshift.io/snapshot": "integ-app-evo0-20260702-123959-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "Merge_Request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-z0nu-5j2gk",
                    "tekton.dev/pipelineRunUID": "07ebb67d-f973-4a93-989d-2dd8f60009b7",
                    "tekton.dev/pipelineTask": "task-skipped",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782996252",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3",
                    "test.appstudio.openshift.io/run": "integration-test-z0nu",
                    "test.appstudio.openshift.io/scenario": "integration-test-z0nu",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-z0nu-5j2gk-task-skipped",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-z0nu-5j2gk",
                        "uid": "07ebb67d-f973-4a93-989d-2dd8f60009b7"
                    }
                ],
                "resourceVersion": "68266",
                "uid": "cbd548a8-1172-43f4-ba84-eb5d86cc8748"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SKIPPED"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:44:26Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:44:26Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-z0nu-5j2gk-task-skipped-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T12:44:25+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:44:18Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://78d2c9982adeb76428c431afe0996785833d37eda75389964d310a2b3a7a8edb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:25Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:44:25+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:44:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SKIPPED --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-gitlab-k2hpmc",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "Merge Request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-nodqgv",
                    "pac.test.appstudio.openshift.io/git-provider": "gitlab",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/source-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/target-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/07ebb67d-f973-4a93-989d-2dd8f60009b7/records/419c0cff-9b5c-4aa7-aa41-61819eebbead",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/07ebb67d-f973-4a93-989d-2dd8f60009b7",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782995999000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/result-chains-git-commit": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-gxeh\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521530606Z\",\"details\":\"Pending\"},{\"scenario\":\"integration-test-z0nu\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521528652Z\",\"details\":\"Pending\"}]"
                },
                "creationTimestamp": "2026-07-02T12:44:16Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:55Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "appstudio.openshift.io/snapshot": "integ-app-evo0-20260702-123959-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "Merge_Request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-z0nu-5j2gk",
                    "tekton.dev/pipelineRunUID": "07ebb67d-f973-4a93-989d-2dd8f60009b7",
                    "tekton.dev/pipelineTask": "task-success",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782996252",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3",
                    "test.appstudio.openshift.io/run": "integration-test-z0nu",
                    "test.appstudio.openshift.io/scenario": "integration-test-z0nu",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-z0nu-5j2gk-task-success",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-z0nu-5j2gk",
                        "uid": "07ebb67d-f973-4a93-989d-2dd8f60009b7"
                    }
                ],
                "resourceVersion": "68263",
                "uid": "419c0cff-9b5c-4aa7-aa41-61819eebbead"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:44:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:44:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-z0nu-5j2gk-task-success-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:44:22+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:44:16Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5ab73d107dd2865a22bbabf82a4c759857edfdfff0c8a160b31c4de9b101b17f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:22Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:44:22+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:44:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pac.test.appstudio.openshift.io/branch": "base-gitlab-k2hpmc",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pac.test.appstudio.openshift.io/event-type": "Merge Request",
                    "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-nodqgv",
                    "pac.test.appstudio.openshift.io/git-provider": "gitlab",
                    "pac.test.appstudio.openshift.io/log-url": "https://CONSOLE_URL_NOT_AVAILABLE",
                    "pac.test.appstudio.openshift.io/max-keep-runs": "3",
                    "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true",
                    "pac.test.appstudio.openshift.io/sender": "konflux-ci-qe-bot",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/source-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/target-project-id": "56586709",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/07ebb67d-f973-4a93-989d-2dd8f60009b7/records/14e5d9be-2de8-4823-8372-ba01f5b9e5e4",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/07ebb67d-f973-4a93-989d-2dd8f60009b7",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "The number 0 of component snapshots belonging to this pr group hash 27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3 is less than 2, skipping group snapshot creation",
                    "test.appstudio.openshift.io/integration-workflow": "pull-request",
                    "test.appstudio.openshift.io/pipelinerunstarttime": "1782995999000",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/result-chains-git-commit": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/result-chains-git-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/result-image-digest": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd",
                    "test.appstudio.openshift.io/result-image-url": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed",
                    "test.appstudio.openshift.io/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "test.appstudio.openshift.io/status": "[{\"scenario\":\"integration-test-gxeh\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521530606Z\",\"details\":\"Pending\"},{\"scenario\":\"integration-test-z0nu\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-07-02T12:44:14.521528652Z\",\"details\":\"Pending\"}]"
                },
                "creationTimestamp": "2026-07-02T12:44:16Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:55Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "tekton-pipelines",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "appstudio.openshift.io/snapshot": "integ-app-evo0-20260702-123959-000",
                    "pac.test.appstudio.openshift.io/cancel-in-progress": "true",
                    "pac.test.appstudio.openshift.io/event-type": "Merge_Request",
                    "pac.test.appstudio.openshift.io/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pac.test.appstudio.openshift.io/pull-request": "17885",
                    "pac.test.appstudio.openshift.io/repository": "test-comp-pac-gitlab-g4598s",
                    "pac.test.appstudio.openshift.io/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pac.test.appstudio.openshift.io/state": "completed",
                    "pac.test.appstudio.openshift.io/url-org": "konflux-qe",
                    "pac.test.appstudio.openshift.io/url-repository": "hacbs-test-project-integration",
                    "pipelines.appstudio.openshift.io/type": "test",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "integration-resolver-pipeline-pass",
                    "tekton.dev/pipelineRun": "integration-test-z0nu-5j2gk",
                    "tekton.dev/pipelineRunUID": "07ebb67d-f973-4a93-989d-2dd8f60009b7",
                    "tekton.dev/pipelineTask": "task-success-2",
                    "tekton.dev/task": "test-output",
                    "test.appstudio.openshift.io/optional": "false",
                    "test.appstudio.openshift.io/pipelinerunfinishtime": "1782996252",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3",
                    "test.appstudio.openshift.io/run": "integration-test-z0nu",
                    "test.appstudio.openshift.io/scenario": "integration-test-z0nu",
                    "test.appstudio.openshift.io/type": "component"
                },
                "name": "integration-test-z0nu-5j2gk-task-success-2",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "integration-test-z0nu-5j2gk",
                        "uid": "07ebb67d-f973-4a93-989d-2dd8f60009b7"
                    }
                ],
                "resourceVersion": "68265",
                "uid": "14e5d9be-2de8-4823-8372-ba01f5b9e5e4"
            },
            "spec": {
                "params": [
                    {
                        "name": "RESULT",
                        "value": "SUCCESS"
                    }
                ],
                "serviceAccountName": "konflux-integration-runner",
                "taskRef": {
                    "params": [
                        {
                            "name": "url",
                            "value": "https://github.com/konflux-ci/integration-examples"
                        },
                        {
                            "name": "revision",
                            "value": "main"
                        },
                        {
                            "name": "pathInRepo",
                            "value": "tasks/test_output.yaml"
                        }
                    ],
                    "resolver": "git"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:44:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:44:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "integration-test-z0nu-5j2gk-task-success-2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha1": "a1a70b0a1cfc96f5216d472fbd60f6b42780b3e5"
                        },
                        "entryPoint": "tasks/test_output.yaml",
                        "uri": "git+https://github.com/konflux-ci/integration-examples"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:44:25+00:00\",\"failures\":0,\"successes\":0,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:44:17Z",
                "steps": [
                    {
                        "container": "step-unnamed-0",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c370a7bc6e172cdbab001f1a19f37ebc95f47c3d8fe2d915fa4641132490ead7",
                        "name": "unnamed-0",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9d0e29187cdb74c03599aa10d7deeed914e71c3a895a306b3ac319330be07999",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:25Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:44:25+00:00\\\",\\\"failures\\\":0,\\\"successes\\\":0,\\\"warnings\\\":0}\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:44:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "params": [
                        {
                            "default": "SUCCESS",
                            "description": "Test result to be generated",
                            "name": "RESULT",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Test output",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "image": "quay.io/konflux-ci/konflux-test:latest",
                            "name": "",
                            "script": "TEST_OUTPUT=$(jq -rc --arg date $(date -u --iso-8601=seconds) --arg RESULT SUCCESS --null-input \\\n  '{result: $RESULT, timestamp: $date, failures: 0, successes: 0, warnings: 0}')\necho -n \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/7532e644-18fd-43bf-97bf-bf9d5defb755",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:13Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "tesbdb7a39d9dfbfbf309dc966e461e9191-coverity-availability-check",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68327",
                "uid": "7532e644-18fd-43bf-97bf-bf9d5defb755"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "tesbdb7a39d9dfbfbf309dc966e9f5e673f015bc7a5690a387ff2e1abbf-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-02T12:43:28+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:43:14Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://eb10d294cd6429fbd8e9736c16753887495854af6e02594a9780882f31069d8f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:28Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:28+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/b317eef9-9199-4756-9d9f-77f3422792ae",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:13Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "tesbdb7a39d9dfbfbf309dc966e461e9191-deprecated-base-image-check",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68316",
                "uid": "b317eef9-9199-4756-9d9f-77f3422792ae"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "tesbdb7a39d9dfbfbf309dc966e6f3298a9566c9f9145e82b57df9708c0-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\", \"digests\": [\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:43:31+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:43:13Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fe5044feba3e21bf194184e2c3bd2eabf8e8890a3e7b31d20d8153d5b3fe4ffe",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:31Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\\\", \\\"digests\\\": [\\\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:31+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-4702160c28",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/3c9698fa-5207-42e2-9c02-a74a2340ccd0",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:14Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pabdb7a39d9dfbfbf309dc966e461e9191-sast-unicode-check",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68319",
                "uid": "3c9698fa-5207-42e2-9c02-a74a2340ccd0"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-86071bb876"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:35Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:35Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pabdb7a39d9dfbfbf3a575ca461e7cf7f70b4d37d57b98754-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:43:30+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:43:16Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://aba463d6245026e223ae5be49f5251bf899ce6fa720039f2aa44ee11e46e8e38",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:30+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://55b65d822bfa26bb268543ca3ceba5a708eaecd1b1095ed4e36f674552e8db2d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:30+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-4702160c28",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/a2574e8b-a488-45fa-90af-89c133eb9411",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:40:16Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-bdb7a39d9dfbfbf309dc966e461e9191-clone-repository",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68313",
                "uid": "a2574e8b-a488-45fa-90af-89c133eb9411"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://gitlab.com/konflux-qe/hacbs-test-project-integration"
                    },
                    {
                        "name": "revision",
                        "value": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-86071bb876"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-nodqgv"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:40:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:40:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-bdb7a39d9dfbf34f8dbece2f891ee1b0df448636dfb81-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://gitlab.com/konflux-qe/hacbs-test-project-integration"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782995994"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "eba0023"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://gitlab.com/konflux-qe/hacbs-test-project-integration"
                    }
                ],
                "startTime": "2026-07-02T12:40:16Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1ab7e774b6eb0047367030053971b354ca5a3717d2173facadf5cc91d8443e31",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:40:21Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/hacbs-test-project-integration\",\"type\":1},{\"key\":\"commit\",\"value\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782995994\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"eba0023\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/hacbs-test-project-integration\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:40:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1a9b4b67894d6f113c257afaccb89051517cefa710ff0210495efd3a4920e4de",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:40:22Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://gitlab.com/konflux-qe/hacbs-test-project-integration\",\"type\":1},{\"key\":\"commit\",\"value\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782995994\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"eba0023\",\"type\":1},{\"key\":\"url\",\"value\":\"https://gitlab.com/konflux-qe/hacbs-test-project-integration\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:40:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://gitlab.com/konflux-qe/hacbs-test-project-integration"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-4702160c28",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/1bf7c4a6-3d91-4cb9-ae28-f60c9638ebbd",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:14Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-bdb7a39d9dfbfbf309dc966e461e9191-sast-shell-check",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68300",
                "uid": "1bf7c4a6-3d91-4cb9-ae28-f60c9638ebbd"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-86071bb876"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:35Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:35Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-bdb7a39d9dfbf331e12cc08e78f6dd001615d47f3158a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:43:30+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:43:16Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://feb4fdcb1f04530738e79520b9e661accfc73f3f7afea4b2aaa81382fbcfce7a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:30+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://79e51322d56beb982c24562e6431f8822ea299cb836685ae5439fb26d6baf9ed",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:30+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-4702160c28",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/2576709a-1359-42fc-a1d5-4eee7debe036",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:40:33Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-gbdb7a39d9dfbfbf309dc966e461e9191-build-container",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68306",
                "uid": "2576709a-1359-42fc-a1d5-4eee7debe036"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://gitlab.com/konflux-qe/hacbs-test-project-integration"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-86071bb876"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:01Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:01Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-gbdb7a39d9dfb5ed3233e022565159d10f052f36524be-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s@sha256:be297fe8ca1aeaf4b39efc997425c2d1537163713bad02f954edae8f70ec6fe0"
                    }
                ],
                "startTime": "2026-07-02T12:40:33Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8f31a0872277f033ba4b54475c3f8128f9b7328e759ec68812776cd7c026686f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:41:15Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:40:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://875f766aaa9a458d43819de69613c4af82f8a09724de7ea51174d32f0821faa9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:41:43Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:41:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f79095c03e09b371912d0f21dfeccb6d3e114509c1605faa91794729bc9f3bb9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:41:56Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:41:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4c2016bde61060003d670305d2869d9d16b81a6e1bc03b6f671d80578bb3f82d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:42:21Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:41:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a6166c405bc8ed2fde3afea49aa7f2b34a6db64dd8f41b55bc050187d342ba5d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:00Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s@sha256:be297fe8ca1aeaf4b39efc997425c2d1537163713bad02f954edae8f70ec6fe0\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:42:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://gitlab.com/konflux-qe/hacbs-test-project-integration"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "test-comp-pac-gbdb7a39d9dfbfbf309dc966e461e9191-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-4702160c28",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/fb25b9ca-5edb-4c0a-82bc-1c476230a9a2",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:14Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-gbdb7a39d9dfbfbf309dc966e461e9191-push-dockerfile",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68291",
                "uid": "fb25b9ca-5edb-4c0a-82bc-1c476230a9a2"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-86071bb876"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-gbdb7a39d9dfbae9f4f8b4accd6af8ce67620bd4ae2a3-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s@sha256:d46aaf1fb7c6b276c2799600cde9d289d8be855b5ddec896413ec8fb85d8a907"
                    }
                ],
                "startTime": "2026-07-02T12:43:17Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://646cfb13f457ef8e80dbe80cb37ce8a973c13cf6fc9a997dcdbca5a9373e5276",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:30Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s@sha256:d46aaf1fb7c6b276c2799600cde9d289d8be855b5ddec896413ec8fb85d8a907\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                                "--image-digest",
                                "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-4702160c28",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/be2b86c3-7ba4-4465-9a7b-9b53fbc0f5fc",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:13Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-gbdb7a39d9dfbfbf309dc966e461e9191-sast-snyk-check",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68344",
                "uid": "be2b86c3-7ba4-4465-9a7b-9b53fbc0f5fc"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-86071bb876"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-gbdb7a39d9dfbb02d4cfa6e20a8c15a22eb4b9a42ddee-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T12:43:30+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:43:14Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0a267c0646f90eb4152e43bdcaaefcb6af9086984252857e07c40211e7277d34",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:30+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3080b2c135926e1b48cfc3641c78b8446b0a2ddd08bea1698185e53e9d27c6f0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:30+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:30Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/04f29746-3005-42eb-8282-d4fa9835bf01",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:13Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-gitlab-g4598s-on-6b2eab4689a33cf85208ac9d60674e68",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68342",
                "uid": "04f29746-3005-42eb-8282-d4fa9835bf01"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:44:00Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:44:00Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-gitlab-g4598s9cbea9698e384dfecb102a8db069cc28-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\", \"digests\": [\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782996238\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:43:13Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://e0fd99bd65c7234d988e4623773b3e372e930125af2cd3679a826824fea13f9f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:31Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://996eef1c65b262f64a168c2ec6836a9a444f6d9a75c7da761663cf9835ca6b4e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:31Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bb94a84ae8e5def85ff45a31a16ce01bc1cf7bc642140260822650f303014bdc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:31Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:31Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5694356e1bf547b3a55c756a71f2321fa56d8c3618319a558c8dc2bb2c08077d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:57Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:32Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\", \"digests\": [\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782996238\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://620e414b8601053c29383a5f6829486f44a6bdae3cbd33131e132f08632d373c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:59Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\\\", \\\"digests\\\": [\\\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782996238\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782996238\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1350091f6b33dc01cd0932a35154a74eb8f99f38461b3408efb721b4ec0b191c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:00Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782996238\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:44:00Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/cd513bc5-33da-467c-a62f-8de4c3da9ece",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:14Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn-apply-tags",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68294",
                "uid": "cd513bc5-33da-467c-a62f-8de4c3da9ece"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-gitlab-g4598scc38d07ffc22006ab9ba2d19eb221015-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-02T12:43:16Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://18eac95a79cb57b7c4a1812faca321fdfb4832448a7c06986d7d41c887915da8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:28Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                                "--digest",
                                "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/7ae176e6-f411-43ae-945b-5c2e33524819",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:13Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn-clair-scan",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68288",
                "uid": "7ae176e6-f411-43ae-945b-5c2e33524819"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-gitlab-g4598s0ab163ad16553ba93a65e489ec34dc5a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\", \"digests\": [\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\":\"sha256:d4f1d0a11f5f294828b7fa4ed1074aa6988ffeb9d8425c5bbd7e948f5415e20a\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:43:55+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:43:13Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cd238e0c12c7993aa50089231ebda5e07fc477bb9f9b316987b9de1c5ac96646",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:33Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1107b71bb64041489f58e564d0b094490bd385bcc3ae9a02d0cd6aaf910374d1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:47Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9ece7e62da44cfe263453ac17a2aeaff5874d0ad6c01c0f24d8e3dbcd37381cb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:51Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d1cca7f58b56692c0f6e6d3508466f30c91ec5610c74c042db5721467fcad727",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:55Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\\\", \\\"digests\\\": [\\\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\\\":\\\"sha256:d4f1d0a11f5f294828b7fa4ed1074aa6988ffeb9d8425c5bbd7e948f5415e20a\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:55+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:51Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/945f2156-370e-4b54-b90b-a3a5415d33d9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:13Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn-clamav-scan",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68298",
                "uid": "945f2156-370e-4b54-b90b-a3a5415d33d9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:44:11Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:44:11Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pac-gitlab-g4598s8cc30a92089f014869afbdff44a4c427-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\", \"digests\": [\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782996248\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-02T12:43:14Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:51306b4d971e7c1fa2bd1a055b4727dcd33ca920b9899642aba57bf79237fa93",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4e7689a7f5b290fad29844baf768946be8eb609028b17347806b16d33078d843",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:08Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\\\", \\\"digests\\\": [\\\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782996248\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:30Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7910173438ce587f8b7050e52ddbb6569d82f93da18d1431ec854fa2871f4450",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:44:11Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\\\", \\\"digests\\\": [\\\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782996248\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:44:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/3ce0f091-8a4d-4c26-a0df-115dfecbb36a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:01Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pacbdb7a39d9dfbfbf309dc966e461e9191-build-image-index",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68324",
                "uid": "3ce0f091-8a4d-4c26-a0df-115dfecbb36a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:13Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:13Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pacbdb7a39d9dfbfb010307c9d4034e67f403aa68f2bd04d3-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    }
                ],
                "startTime": "2026-07-02T12:43:01Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cebcdba8d7b81da085e90aee53893973854054db18315311aee991a86edfbcdd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:09Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:05Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9c3d3e73ec206e9b7296972bb75e23ea719c49668cd9aa3df78f8a1d7e95e077",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:09Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:09Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://24d5a83c5f4d3ecf819f87a3d08f60223478934ca1ed39fffe7fd8627ff9fdb7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:13Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:09Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5@sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:test-comp-pacbdb7a39d9dfbfbf309dc966e461e9191-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:test-comp-pacbdb7a39d9dfbfbf309dc966e461e9191-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/8b427b34-f0f8-4271-b367-8c58e20b10c6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:43:14Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:56Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-comp-pbdb7a39d9dfbfbf309dc966e461e9191-rpms-signature-scan",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68304",
                "uid": "8b427b34-f0f8-4271-b367-8c58e20b10c6"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:43:53Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:43:53Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-comp-pbdb7a39d9dfbfbf3889565b30480ce23a806c1eeb819d275-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\", \"digests\": [\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:43:53+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:43:17Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://74e572f0860440c4a4792f1f39f388abbdb3230260bfb659fcd640438d472fd9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://abaf8d486e9d0edb47fa34962e922c0979c15548c54b5bdd82baf139b408ae1b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:43:53Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\\\", \\\"digests\\\": [\\\"sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:43:53+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:43:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/gitlab-rep-jm2z/test-comp-pac-gitlab-g4598s:on-pr-eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:ea604735a2e12a54ed241ceea94245bdc4b330412d988e2738daed5452ef40fd"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/tree/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/commit_sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "build.appstudio.redhat.com/pull_request_number": "17885",
                    "build.appstudio.redhat.com/target_branch": "base-gitlab-k2hpmc",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-4702160c28",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "base-gitlab-k2hpmc",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "Merge Request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-nodqgv",
                    "pipelinesascode.tekton.dev/git-provider": "gitlab",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/gitlab-rep-jm2z/pipelinerun/test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-gitlab-k2hpmc\"",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-qe-bot",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/sha-title": "Konflux update test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration/-/commit/eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/source-project-id": "56586709",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://gitlab.com/konflux-qe/hacbs-test-project-integration",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/target-project-id": "56586709",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0/records/558b03dc-b850-4ee6-98b5-fbf9ba8ada9c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"hacbs-test-project-integration\",\"commit\":\"eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5\",\"eventType\":\"Merge Request\",\"pull_request-id\":17885}",
                    "results.tekton.dev/result": "gitlab-rep-jm2z/results/e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-test-comp-pac-gitlab-g4598s",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:40:23Z",
                "deletionGracePeriodSeconds": 0,
                "deletionTimestamp": "2026-07-02T12:44:57Z",
                "finalizers": [
                    "results.tekton.dev/taskrun"
                ],
                "generation": 2,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-evo0",
                    "appstudio.openshift.io/component": "test-comp-pac-gitlab-g4598s",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/event-type": "Merge_Request",
                    "pipelinesascode.tekton.dev/original-prname": "test-comp-pac-gitlab-g4598s-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "17885",
                    "pipelinesascode.tekton.dev/repository": "test-comp-pac-gitlab-g4598s",
                    "pipelinesascode.tekton.dev/sha": "eba0023fa5bd12321dd22c83c2dbcc05acaf3ff5",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "konflux-qe",
                    "pipelinesascode.tekton.dev/url-repository": "hacbs-test-project-integration",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRun": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                    "tekton.dev/pipelineRunUID": "e6c45fbc-9e1c-455a-84cc-1522392916d0",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "27e018f34ab66e3f0ee9e1edde84a9ae4a12ee5b02ba8078a8b91f749815a3"
                },
                "name": "test-compbdb7a39d9dfbfbf309dc966e461e9191-prefetch-dependencies",
                "namespace": "gitlab-rep-jm2z",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "test-comp-pac-gitlab-g4598s-on-pull-request-q9rnn",
                        "uid": "e6c45fbc-9e1c-455a-84cc-1522392916d0"
                    }
                ],
                "resourceVersion": "68338",
                "uid": "558b03dc-b850-4ee6-98b5-fbf9ba8ada9c"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-test-comp-pac-gitlab-g4598s",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-86071bb876"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-nodqgv"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:40:33Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:40:33Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "test-compbdb7a39d9dfbfbf309eeaff2773106daf89974ca2daf2b4f3a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-02T12:40:23Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7f9c77ad9b65dec730bf11b1a9324bfb8d4a7900a65d7822f789f3dbe5393d46",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:40:32Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:40:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/92d95ff8-1be5-4281-9e74-f63ba36d500a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "kon0bf2d095cb9733df7a56ae6419c93ca6-coverity-availability-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30061",
                "uid": "92d95ff8-1be5-4281-9e74-f63ba36d500a"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:28Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:28Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon0bf2d095cb9733df7a56ae646f3cf56f4e3b575977b199fba6ab1d10-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-02T11:57:27+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:57:18Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://da2fd2ae952e9c9c9816e9aa002b6210801eaa41a449b31b4e4a0e966a41b1ea",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:27Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:27+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/4cd6ebf1-d803-44e7-9b61-4e939bf3d169",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "kon0bf2d095cb9733df7a56ae6419c93ca6-deprecated-base-image-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30150",
                "uid": "4cd6ebf1-d803-44e7-9b61-4e939bf3d169"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon0bf2d095cb9733df7a56ae646a654da502483cdb5f39c469977dd8e7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\", \"digests\": [\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:57:33+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:57:16Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c5a74086f18de076d307dd3ed829fe6dea9c42d4e94487310f4333b8dbc01177",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:34Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\\\", \\\"digests\\\": [\\\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:33+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:23Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/4d76e8ec-6929-4393-be4f-1b020e746344",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "kon4231781bef2aaa90a8dad499035c843c-coverity-availability-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "35522",
                "uid": "4d76e8ec-6929-4393-be4f-1b020e746344"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:52Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:52Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon4231781bef2aaa90a8dad499ca24a523650cecc9af3f2ab8bb6ae403-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-02T12:02:51+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:02:39Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://734d02be1bc4e2c0a08884551033402eb4e8558bfdddb7cd163fd96a19392089",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:51Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-02T12:02:51+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:51Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/13bc8d5c-196e-4328-a303-2062634a0e63",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:37Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "kon4231781bef2aaa90a8dad499035c843c-deprecated-base-image-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "35623",
                "uid": "13bc8d5c-196e-4328-a303-2062634a0e63"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "kon4231781bef2aaa90a8dad499d17ab39939546466c6de73806940795d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\", \"digests\": [\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:02:56+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:02:37Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2a1b8fc139b9dca2ff03dc2c898b85fb9567dffca4dd83e357fc987d7a1a30d2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:56Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\\\", \\\"digests\\\": [\\\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:02:56+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-82d4d26c2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/1f93c33a-421c-45fa-a1b8-ea9bdeeaf5bc",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:54:21Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-t0bf2d095cb9733df7a56ae6419c93ca6-prefetch-dependencies",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "27941",
                "uid": "1f93c33a-421c-45fa-a1b8-ea9bdeeaf5bc"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b816eb5363"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-vvbbfv"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:54:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:54:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-t0bf2d095cb9733df7a364886a3f896fa3e8fd2f4f313986aa4-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-02T11:54:21Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c65ab4d41736988b4d9c078471034b0597e36f4526e6d592a91813ec3fc8df93",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:54:30Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:24Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e1c3eb0f2c",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/19669f5d-383b-4698-8615-b2356ba49a1d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:59:39Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-t4231781bef2aaa90a8dad499035c843c-prefetch-dependencies",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "33386",
                "uid": "19669f5d-383b-4698-8615-b2356ba49a1d"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-d762e1b93e"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-btwmob"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:51Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:51Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-t4231781bef2aaa90a853a2b2c8b770c9106b3ef8a3421be2cb-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-02T11:59:39Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d4bd3073fba3c5916900973d268d71a09c5092fa681abf2c883f2e97c85b4bc6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:49Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:43Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/dd4319e7-3d15-4467-9629-42918137ef1a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:17Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-tes0bf2d095cb9733df7a56ae6419c93ca6-rpms-signature-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30755",
                "uid": "dd4319e7-3d15-4467-9629-42918137ef1a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tes0bf2d095cb9733df1cd284fd0fb797d3073a1a68e525f84f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\", \"digests\": [\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:57:53+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:57:20Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f93a76c25aa8f3ff3b49f75f2a775932ab75131fa4eefb563aac13b14e9e619c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:31Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://088e757a1eb367f2499f1631cf9fda1730f6e8976663116e6cd0a4af5abe1285",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:54Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\\\", \\\"digests\\\": [\\\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:53+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:53Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/12ec86a1-8243-4e2e-a894-1aad71a2e528",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-tes4231781bef2aaa90a8dad499035c843c-rpms-signature-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "36221",
                "uid": "12ec86a1-8243-4e2e-a894-1aad71a2e528"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:03:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:03:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-tes4231781bef2aaa905d2ace8033df926511ae6a001beb7389-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\", \"digests\": [\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 132, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:03:22+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:02:42Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cbcee957249fa5eb30b00eb827204cce3b32c68dfea366e272562bfb3dbd4f2f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://123de41c428cf1889a00a773453511a829d69bc1b58e0b9f5060782c44a928ef",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:22Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\\\", \\\"digests\\\": [\\\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 132, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:03:22+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/704eafda-d865-4c31-a366-1e72002e1265",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-0bf2d095cb9733df7a56ae6419c93ca6-build-image-index",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "29542",
                "uid": "704eafda-d865-4c31-a366-1e72002e1265"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-0bf2d095cb973369e8b5c8d516da7adf45a42e93ad2301-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    }
                ],
                "startTime": "2026-07-02T11:57:04Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://918668d19c0d8bc940c73211a7d2cee9eeff0ee81da3ca5261101d4c44afbaa3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:11Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b031fb366b1f64c8a2664a35a16f1be3e0176522e2a6d3935d149645c3030ea7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:12Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:12Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://61a17f56da34f2c869a12622257ef05f08004fbbce5d6a6322803c40fc621a5a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:15Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:12Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "d442d3994e1d0c59fc989157fc83f609c8448444"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-0bf2d095cb9733df7a56ae6419c93ca6-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-0bf2d095cb9733df7a56ae6419c93ca6-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/5b210d9f-bed3-4f50-9e0f-852cbc05cd7f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:25Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-4231781bef2aaa90a8dad499035c843c-build-image-index",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "35230",
                "uid": "5b210d9f-bed3-4f50-9e0f-852cbc05cd7f"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:37Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:37Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-4231781bef2aaa26ea9ea8c463a6b98e5aa4b82e6bcc8d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    }
                ],
                "startTime": "2026-07-02T12:02:25Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://594fbca58d6a93351c9e852c8f414b09bf4ed5040af409b30d3fed381723a8f3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:33Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f2f77c933b5f1d7dd0f7602c20e7f0bf629169d3bb5e3ae6c8f271d75aba7163",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:33Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://04182158fae02ced01cc2933c4b0df450697637152537b29810d8d2b90e8becc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:37Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "49c35baacd3df172ca8e64fd638e35c14cee4be2"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:konflux-test-4231781bef2aaa90a8dad499035c843c-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:konflux-test-4231781bef2aaa90a8dad499035c843c-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-82d4d26c2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/8cdaa6e5-49b8-4ba4-969a-48ee8b47a1a9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:54:10Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-i0bf2d095cb9733df7a56ae6419c93ca6-clone-repository",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "27628",
                "uid": "8cdaa6e5-49b8-4ba4-969a-48ee8b47a1a9"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "d442d3994e1d0c59fc989157fc83f609c8448444"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b816eb5363"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-vvbbfv"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:54:18Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:54:18Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i0bf2d095cb973535e6f5327aefab062135ddf12963e11-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782993217"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "d442d39"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-02T11:54:10Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://71460783b1bf836bacc6a02768caa97faa2d90a0a183b59b52c8f07133e0e664",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:54:17Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993217\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"d442d39\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c7e1bf66f6def842d279fa6f9c82e8c19ea635c22e27e2b0857739fe27bef623",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:54:17Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993217\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"d442d39\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:17Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-82d4d26c2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/2262f7a2-d948-439c-a135-16fe0aec1eb0",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-i0bf2d095cb9733df7a56ae6419c93ca6-sast-shell-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30053",
                "uid": "2262f7a2-d948-439c-a135-16fe0aec1eb0"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b816eb5363"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i0bf2d095cb97315445d99f40b9334008ec56c9b7e7f18-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:57:30+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:57:18Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://76aa60ed3457b5b50087c3666407913a36ba0fff4085849ef2fea9a8c4455e79",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:30+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e5688dcd3fc99b861a11b98869885c91a1f6eb8263e32f19a37c071cb6cd9124",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:32Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:30+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:30Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e1c3eb0f2c",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/268e23d1-78d0-4d9c-adb1-6c32f555332b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:59:28Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-i4231781bef2aaa90a8dad499035c843c-clone-repository",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "32759",
                "uid": "268e23d1-78d0-4d9c-adb1-6c32f555332b"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "revision",
                        "value": "49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-d762e1b93e"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-btwmob"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i4231781bef2aa32077a97befa7114776b1c03975e2d8f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782993527"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "49c35ba"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    }
                ],
                "startTime": "2026-07-02T11:59:28Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://28571548e8ae752ed6f3ec08bc2a3ec268f15d81f26717198efe1e0b199957da",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:32Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993527\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"49c35ba\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:32Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://06cba464335ced562743d5a27592ba9fbd869e8919ac500e16c6b3d5282d61f8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:33Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1},{\"key\":\"commit\",\"value\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993527\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"49c35ba\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/konflux-test-integration-clone\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:33Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e1c3eb0f2c",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/e07c3fa7-44f6-4de6-9c28-b099aabd958c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-i4231781bef2aaa90a8dad499035c843c-sast-shell-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "35533",
                "uid": "e07c3fa7-44f6-4de6-9c28-b099aabd958c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-d762e1b93e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:59Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:59Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-i4231781bef2aa20de4be45b30f3964c4f1070e43c569b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:02:54+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:02:39Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2d3baf71affdcd80c6da6ea611e6c8b4098d57032a0c31449d550794cdfbced9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:54Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:02:54+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1f4a08aa5494ddacd03da413b91212c2817199bdf113792cf2854047b70bd6cd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:57Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:02:54+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-82d4d26c2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/0a2c4e8b-7d00-413a-9669-8c164932247a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:54:31Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-in0bf2d095cb9733df7a56ae6419c93ca6-build-container",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "29231",
                "uid": "0a2c4e8b-7d00-413a-9669-8c164932247a"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b816eb5363"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:04Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:04Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in0bf2d095cb978e8b29827f561fad7fbd6cf5a5f7a368-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:24d6c1f9f35472ccef8454e32af76c7aac6fbe42188939c5c4a136dc6433b246"
                    }
                ],
                "startTime": "2026-07-02T11:54:31Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a2a22393932fd3a162cc9ad5b7967c8d552fcee2a5a1e2a6f6290ba4181e7be7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:55:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://177874ee549d039ff0a491d5bffc2fc434f4109f0b850b415dcb202485f2a15d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:55:49Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:55:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1032b37b7d01f0ff8ea0929e55116828ee99c8b2e31dff5c3c04c25a77dc3b40",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:56:02Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:55:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://08e246bcfe8fcac4cc10201fe44b9b861ebd3e165594d3bcac7da41629190598",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:56:24Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:56:02Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7106945907d2d2c8faf56d95186e6eceeb0e19dbd43414a3e2c813dce04158b1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:03Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444@sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:24d6c1f9f35472ccef8454e32af76c7aac6fbe42188939c5c4a136dc6433b246\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:56:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-in0bf2d095cb9733df7a56ae6419c93ca6-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-82d4d26c2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/12855f56-05dc-4e74-af28-76bdf44b9f34",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:17Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-in0bf2d095cb9733df7a56ae6419c93ca6-push-dockerfile",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30122",
                "uid": "12855f56-05dc-4e74-af28-76bdf44b9f34"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b816eb5363"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:30Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:30Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in0bf2d095cb97c596ba44d6040ada5925c6b03bacfcf8-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:a3ed9d5f1602358c666937bbb6691e22e669164406e5fe07b50547e9ec95b6af"
                    }
                ],
                "startTime": "2026-07-02T11:57:19Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9b46fb28c6d4272ccaba2d51d1b683fce3c7878849c683c33b6de5ebed30738b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:30Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:a3ed9d5f1602358c666937bbb6691e22e669164406e5fe07b50547e9ec95b6af\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:29Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444",
                                "--image-digest",
                                "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-82d4d26c2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/9a9af26c-62d5-401f-ac78-01dfae2ddf93",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-in0bf2d095cb9733df7a56ae6419c93ca6-sast-snyk-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30027",
                "uid": "9a9af26c-62d5-401f-ac78-01dfae2ddf93"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b816eb5363"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in0bf2d095cb9703c5ad225e2981801e71c8e2b37b1fe0-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T11:57:29+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:57:17Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bd67e73b1705181cbd1d0b803e2437b5b9ef60f729ffbd8ece9fe5a68fa2ead6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:29Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:29+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3201b173fbc61351afd003ce3e372c74203cb3a250bef9b03b4426c4886219f2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:29Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:29+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:29Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e1c3eb0f2c",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/8ad080ab-a762-4ace-9178-25f32d6967b3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:59:54Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-in4231781bef2aaa90a8dad499035c843c-build-container",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "34710",
                "uid": "8ad080ab-a762-4ace-9178-25f32d6967b3"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-d762e1b93e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in4231781bef2a253c79fbc4dfd5efd83f3e0cd7794705-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:c1927d23a39932a3b89727bc1ca3ef08e56fc7488794b95c19104ab0ba02ab5a"
                    }
                ],
                "startTime": "2026-07-02T11:59:54Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://101a8be396ff06fd01cf0794efdbbd09e5b4933327e3954d67e2f657084590da",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:00:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:00:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://46a9eed42dfa942c8c6341c20d74771da3e279e5c93be53829bebd009d786512",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:01:11Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:00:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://814aaaa4f2e041d46154e6eb8295c10e2704cd823b8621698dfd5cc32c56a0d0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:01:24Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:01:12Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://deb854fcf3a47900efc92c2edfe5f71b7976cb65dd83e1fa912426a59fe8d5d7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:01:47Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:01:24Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0dda450189b03a2dcbff3a13f4d93edcf116e4d1c7812697cb563b8897070109",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:24Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2@sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:c1927d23a39932a3b89727bc1ca3ef08e56fc7488794b95c19104ab0ba02ab5a\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:01:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "."
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "konflux-test-in4231781bef2aaa90a8dad499035c843c-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e1c3eb0f2c",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/052ebb0f-ab0f-42c7-98d8-3be4c2217a0b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-in4231781bef2aaa90a8dad499035c843c-push-dockerfile",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "35605",
                "uid": "052ebb0f-ab0f-42c7-98d8-3be4c2217a0b"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "."
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-d762e1b93e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in4231781bef2a9864f350fd059acf5496d268801e67e0-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:b2758f0521b083c5763d1eb06b16ad1815a265deaad55602b3c7436435a62e51"
                    }
                ],
                "startTime": "2026-07-02T12:02:41Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a8eebac1c2acd7f2970512df7f35b2f820a8daba2dc460ddabf900847df73d7c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:55Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd@sha256:b2758f0521b083c5763d1eb06b16ad1815a265deaad55602b3c7436435a62e51\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:52Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                ".",
                                "--containerfile",
                                "Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2",
                                "--image-digest",
                                "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e1c3eb0f2c",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/d7b32526-ca53-4761-8aca-af880a9504b9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-in4231781bef2aaa90a8dad499035c843c-sast-snyk-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "35490",
                "uid": "d7b32526-ca53-4761-8aca-af880a9504b9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-d762e1b93e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:52Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:52Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-in4231781bef2ab5bf381a13ed320c58de7feaf9814cc5-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T12:02:50+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:02:38Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fa76d07a2c62c644e4f333b53ce339ed46c9c29fcf3db33c6033bcec1dafb28d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:50Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:02:50+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://31d42e6fd014b20b4f2ed4942e4391c9c2bfa64107dfc40a2ed37717dabf4fa0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:51Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:02:50+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:51Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/0dd5ca69-c872-416d-8e47-5267016bbbc4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-integr0bf2d095cb9733df7a56ae6419c93ca6-clamav-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "31415",
                "uid": "0dd5ca69-c872-416d-8e47-5267016bbbc4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:12Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:12Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integr0bf2d095d88ea6f2212a07c1e2f7c2f93e79acba-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\", \"digests\": [\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782993488\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-02T11:57:17Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:51306b4d971e7c1fa2bd1a055b4727dcd33ca920b9899642aba57bf79237fa93",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://caf0c2c55c44056437a2e2c5cbccd7f7c94bec10737dbac4e70fdec793714cc2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:08Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\\\", \\\"digests\\\": [\\\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993488\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fffa5aab48ff7e4ea605391771e65af2ba946aed14a4bfd0ea803f27018dd39a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:11Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\\\", \\\"digests\\\": [\\\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993488\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/9a751000-79b0-45d9-aba2-9cde7f30045a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-integr4231781bef2aaa90a8dad499035c843c-clamav-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "37120",
                "uid": "9a751000-79b0-45d9-aba2-9cde7f30045a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:03:36Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:03:36Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integr4231781bcf498edcb49c932be895f68a1ee9dd7f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\", \"digests\": [\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782993809\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-02T12:02:38Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:51306b4d971e7c1fa2bd1a055b4727dcd33ca920b9899642aba57bf79237fa93",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4ba4cd47d98bc1ec86eb90c9a1a92879dad028ffc56cfb5d8931e2e91e297891",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:29Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\\\", \\\"digests\\\": [\\\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993809\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://22e9da5dbf08199de87af21be747713f7a03367bd4150bb3cf64ada46920462e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:34Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\\\", \\\"digests\\\": [\\\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993809\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:29Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/c1a6bb81-0808-4e3e-a070-9447a808a667",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-integra0bf2d095cb9733df7a56ae6419c93ca6-apply-tags",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30117",
                "uid": "c1a6bb81-0808-4e3e-a070-9447a808a667"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra0bf2d09d2aeda0e25f628d42890cd255ce3f913-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-02T11:57:19Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9c54dfc6e56ff08011462be1c7f4d85970dab5e79fe3f45b758daf0ed332ec26",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:29Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444",
                                "--digest",
                                "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/ded2f68e-ce11-4f16-8a4b-a52ea63ab113",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-integra0bf2d095cb9733df7a56ae6419c93ca6-clair-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30392",
                "uid": "ded2f68e-ce11-4f16-8a4b-a52ea63ab113"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:58Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:58Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra0bf2d09fa8c348bca252327b72cfd123e2b2dc9-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\", \"digests\": [\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\":\"sha256:a383726edf2f74d1aad436ee1c15ef9a3ffc5ef74d66d7c7db240af06b32fd23\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:57:57+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:57:16Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6189b93de4924cf4c41aa8a027ad2177b3d0adc11f9f7570363a7219b9d3e562",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:33Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2283577148d8986b0d2aa9985b99193b38a07e606d3305bba399a9206e044244",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:49Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://fca59d6b59b15369053f088a32ac7e02d4b4bb7b3204014ecf9b699520d4b955",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://89e3bdcd0c60e7fe8d6f93f8325cffe0dee7e30b47e48a0898e4e0264072676d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:57Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\\\", \\\"digests\\\": [\\\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\\\":\\\"sha256:a383726edf2f74d1aad436ee1c15ef9a3ffc5ef74d66d7c7db240af06b32fd23\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:57+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:53Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/c48a43e0-45fc-400b-b744-040a928bf58f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-integra4231781bef2aaa90a8dad499035c843c-apply-tags",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "35595",
                "uid": "c48a43e0-45fc-400b-b744-040a928bf58f"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:53Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:53Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra42317818c21945e6e41a00c486d608550e8acdc-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-02T12:02:40Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b9843eb18519d3833e0bee04c749f2c211e257ca34f8ccdfceb947f8fce14b56",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:52Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:51Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2",
                                "--digest",
                                "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/4ca32f51-555e-46c0-ae77-dbedf7c4c38e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:37Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-integra4231781bef2aaa90a8dad499035c843c-clair-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "36068",
                "uid": "4ca32f51-555e-46c0-ae77-dbedf7c4c38e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:03:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:03:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integra42317815bdb2b364aa236a2e38a70d80f83269b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\", \"digests\": [\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\":\"sha256:285bf1038c6e119551bcbc2037cad61219eed91acd648ded95588c9dba98dfd0\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":147,\"low\":150,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:03:22+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:02:37Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://12adff4cc86b34f8f5c8e5ecdc1e907f97e446b63b12e78a524731493fa400dc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:56Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d9bceffd197c33f7a799ace0490bb2ec104bdd447a0bb5c88767f8ca85736f55",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:11Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://16501eaaa4e33fe1917a8733f71f25e7e15ede7af266f93b5c8a2d93184c9059",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:16Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b70a67f9fb9829c3a0d84c623754090647cbae34fa0087b29ba2680b4cb4415d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:22Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\\\", \\\"digests\\\": [\\\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\\\":\\\"sha256:285bf1038c6e119551bcbc2037cad61219eed91acd648ded95588c9dba98dfd0\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":147,\\\"low\\\":150,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:03:22+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:17Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/d57c0bc1-9374-4531-bda2-c9fded83ab56",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:54:03Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-integration-c0bf2d095cb9733df7a56ae6419c93ca6-init",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "27578",
                "uid": "d57c0bc1-9374-4531-bda2-c9fded83ab56"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:54:08Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:54:08Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-c0c47fd0ec164dc8c60ff58233c4145d80-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-02T11:54:03Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3ddb5deda30cfafa45e9dd84269a899ff9d5df58e35d008575374d31f841d447",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:54:07Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:07Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/cebb3828-0fa6-4a43-8020-65b7355c1392",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:59:20Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-integration-c4231781bef2aaa90a8dad499035c843c-init",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "32605",
                "uid": "cebb3828-0fa6-4a43-8020-65b7355c1392"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-c46b6991f5d3dfa88ca6b3c1053635f14e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-02T11:59:20Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d87d6cf46414e8a8de16c9344587412fa891fc117e9348d9887454a0cf7d6858",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:24Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:24Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/b30d1a3b-50b2-4365-a309-f7429b7dba8e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:37Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test-integration-clone-1352adb3c1cf295791fb0128344198d7",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "36115",
                "uid": "b30d1a3b-50b2-4365-a309-f7429b7dba8e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:03:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:03:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cled2466db71d376331effa7896f1883cf-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\", \"digests\": [\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993801\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:02:38Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://3a8d9d0fec4f985b54a106894db590272551ff84a6a596b4db20232eb775e74f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:53Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://f694b62a4e1cf501e32972455f34a181c0a778aa9ebf59eb57fe377998222d05",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:54Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d544269e5e69a2e99398c16d56558f8fe9d6dcfc111316efc6566a0d350b2fed",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:54Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:54Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b36a1affe85dfb876439f39daaa7e0632784a42fd2004f6806bb78e3d0dbd0bc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:20Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\", \"digests\": [\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993801\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://b4c373c6d22220a3410dd290cb6a114793f8d667d1c92d333cdff8ea549aeb95",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:21Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2\\\", \\\"digests\\\": [\\\"sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993801\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:21Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993801\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://949bee41a82efdbb5d5a77d25da68afd47c68ebe4e640ffdcc8f9c3e0d387424",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:22Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993801\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:22Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/35351607-f0e6-40c3-bfab-0dda76b5be13",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test-integration-clone-e59395087312b28c31db2353556c6c8f",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30802",
                "uid": "35351607-f0e6-40c3-bfab-0dda76b5be13"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test-integration-cl9002765f3c796615982dc39d9a8ae4c2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\", \"digests\": [\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993481\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T11:57:16Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1a066a97f8aa80dbcc6f088e245e285af64566211b30ee79e9e0a0a58d093ea4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:29Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://2a66636b0971ac55bf026ef9ae2976bbacc015ad435b42879266c3b2a2517c19",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:29Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bd9f572ce6431b53f046ed8fc2b8afdce15f1d783f6faca9747be151464ad370",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:30Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:30Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6caa38a1ea0009be4d7a3f6356cf3b931b33f9e9d3bcd606f3a693e75032e4d6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:00Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:30Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\", \"digests\": [\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993481\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://e8a2334766d8474ab0a70e13ae70cc5358332c0294cee4a4536299fb47bd01c0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:01Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444\\\", \\\"digests\\\": [\\\"sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993481\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:01Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993481\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://3ffc1d4d04a8f525d98c7edc50a3d58225034e801f8f54ed7fe265f9361670ad",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:02Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993481\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:02Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/commit_sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "build.appstudio.redhat.com/pull_request_number": "9604",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-82d4d26c2f",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-vvbbfv",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072/records/a6381d72-e3a4-4e8b-a97c-4b59455d4679",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"d442d3994e1d0c59fc989157fc83f609c8448444\",\"eventType\":\"pull_request\",\"pull_request-id\":9604}",
                    "results.tekton.dev/result": "group-r73r/results/f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-konflux-test-integration-clone-44r7zd",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:57:16Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129367",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9604",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "d442d3994e1d0c59fc989157fc83f609c8448444",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                    "tekton.dev/pipelineRunUID": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "f36298afe4a57dcf248fd10af85e8b4a8e6adabeaad32c9cbfcdf0c41678d4"
                },
                "name": "konflux-test0bf2d095cb9733df7a56ae6419c93ca6-sast-unicode-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-6w5q2",
                        "uid": "f9546aa0-d2e4-44b3-a3e3-42e0696e8072"
                    }
                ],
                "resourceVersion": "30067",
                "uid": "a6381d72-e3a4-4e8b-a97c-4b59455d4679"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b816eb5363"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test0bf2d095cb9733d9f699fa51d5c4ddad7c0e6d981be1c41-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:57:31+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:57:19Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ffa44e09118ce85adf68c5dd70cb89b5c512a12f0fa5a90c4e52b4b9718f5f55",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:31Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:31+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:30Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8672a6984079433b69a9162f20ce80f573467a10702881250d5226f5b634117a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:33Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:57:31+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:32Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-d442d3994e1d0c59fc989157fc83f609c8448444"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:97ac0872f52e386713ffd7e0babfe41d517e42d784e85ce32be9c157214256c7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone?rev=49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/commit_sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "build.appstudio.redhat.com/pull_request_number": "9605",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-e1c3eb0f2c",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-btwmob",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\"",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone/commit/49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/konflux-test-integration-clone",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1/records/28db3ec3-295d-40c9-b86e-0f82a7c90999",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"konflux-test-integration-clone\",\"commit\":\"49c35baacd3df172ca8e64fd638e35c14cee4be2\",\"eventType\":\"pull_request\",\"pull_request-id\":9605}",
                    "results.tekton.dev/result": "group-r73r/results/23b82297-7ace-463a-ae12-55736692e1a1",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:02:38Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "konflux-test-integration-clone-44r7zd",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765079764",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "konflux-test-integration-clone-44r7zd-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "9605",
                    "pipelinesascode.tekton.dev/repository": "konflux-test-integration-clone-44r7zd",
                    "pipelinesascode.tekton.dev/sha": "49c35baacd3df172ca8e64fd638e35c14cee4be2",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "konflux-test-integration-clone",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRun": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                    "tekton.dev/pipelineRunUID": "23b82297-7ace-463a-ae12-55736692e1a1",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "konflux-test4231781bef2aaa90a8dad499035c843c-sast-unicode-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "konflux-test-integration-clone-44r7zd-on-pull-request-sxfcf",
                        "uid": "23b82297-7ace-463a-ae12-55736692e1a1"
                    }
                ],
                "resourceVersion": "35591",
                "uid": "28db3ec3-295d-40c9-b86e-0f82a7c90999"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                    }
                ],
                "serviceAccountName": "build-pipeline-konflux-test-integration-clone-44r7zd",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-d762e1b93e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:02:56Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:02:56Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "konflux-test4231781bef2aaa976a648ce964209641c86d23d6869d495-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:02:53+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:02:40Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://737c8efce07a0495be626c5dcd5b88c66db93ea2449f4688a5cc01933da9630d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:53Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:02:53+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:52Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c030dea41d123660bd65d62f48b0751d37f2fb895191bd2bc98eda7dce540491",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:55Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:02:53+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/konflux-test-integration-clone-44r7zd:on-pr-49c35baacd3df172ca8e64fd638e35c14cee4be2"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:244975774f36f2deac8f3e087f2772c36985199dea038ef959c6734fe511fcbd"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/048dd6cb-4bd9-43be-96fd-07731d62b6da",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "pyt0d240930c95a99a47c3f4267213bf308-coverity-availability-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "43902",
                "uid": "048dd6cb-4bd9-43be-96fd-07731d62b6da"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:11:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:11:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt0d240930c95a99a47c3f4267b81ff48323937458501627a6ed37c111-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-02T12:11:25+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:10:44Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f658b2acb9c4d929f79ef625bd10ae8c88b31371e1e2fc5d3c22806389528ee5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:25Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-02T12:11:25+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/53d7053c-c5d7-4f64-bbdd-deca825fe4af",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "pyt0d240930c95a99a47c3f4267213bf308-deprecated-base-image-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "43736",
                "uid": "53d7053c-c5d7-4f64-bbdd-deca825fe4af"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:11:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:11:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt0d240930c95a99a47c3f4267ac49d6079f6ee95f6be3c15cbca456c7-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\", \"digests\": [\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:11:06+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:10:41Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ad74db8c546978e17a0e312ac1c1a90b8d3b9a2299bb0f226f3b961ccb2fa6f5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:07Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\\\", \\\"digests\\\": [\\\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:11:06+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:10:55Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/45149d52-1b80-4258-acba-938fc71161e0",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "pyt6bc7cc7a936a86201ddb1c2b5ff519f9-coverity-availability-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "25483",
                "uid": "45149d52-1b80-4258-acba-938fc71161e0"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:51:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:51:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt6bc7cc7a936a86201ddb1c2b094d32e858d8e50535aecbcaf4f2e926-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-02T11:51:41+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:51:27Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f4c5d70a966b88978ba0de82ce50a7b5a2d250bd0e54301dc0c696c8755b2a93",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:41Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-02T11:51:41+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/0ba6d88e-89aa-45b0-8ac0-35d7b383fc78",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "pyt6bc7cc7a936a86201ddb1c2b5ff519f9-deprecated-base-image-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "25520",
                "uid": "0ba6d88e-89aa-45b0-8ac0-35d7b383fc78"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:51:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:51:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pyt6bc7cc7a936a86201ddb1c2b5b516e1469965af9cc73438a10936d8e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\", \"digests\": [\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:51:50+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:51:26Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d9ac6aced80bbc3b30487681dec4ba9e4d1c42596e903aa202cd7420fd8061b8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:52Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\\\", \\\"digests\\\": [\\\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:51:50+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:36Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/989c71a0-4090-452e-a590-638a89596f57",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:59Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "pytaf050c7460b8aced211cb7091ae23390-coverity-availability-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "38077",
                "uid": "989c71a0-4090-452e-a590-638a89596f57"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:04:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:04:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytaf050c7460b8aced211cb709356c579f2537328aa43616cd85dbbc7a-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-02T12:04:30+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:04:03Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c8f30bb0b4b8733f71f770b91d78ef40b6a501f0bb2ce6e4fe5d251e602f5daa",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:30Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-02T12:04:30+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:30Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/f4f7cde6-d789-4795-af62-88999892d162",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:58Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "pytaf050c7460b8aced211cb7091ae23390-deprecated-base-image-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "38001",
                "uid": "f4f7cde6-d789-4795-af62-88999892d162"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:04:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:04:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytaf050c7460b8aced211cb709ad9a272fc5b4168f3d0852f517feb446-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\", \"digests\": [\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:04:38+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:03:58Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c5c5dc9327e354915e14db7d8235bf7400e34a09f3e98a11eaaf8ac7f68cbf9c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:38Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\\\", \\\"digests\\\": [\\\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:04:38+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/2f9ebb6d-7724-412c-9dd6-4c4a3f1469ae",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "coverity-availability-check",
                    "tekton.dev/task": "coverity-availability-check"
                },
                "name": "pytd673a9cee262c72aa0e3400ab81c6e21-coverity-availability-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "31271",
                "uid": "2f9ebb6d-7724-412c-9dd6-4c4a3f1469ae"
            },
            "spec": {
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "coverity-availability-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:16Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:16Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytd673a9cee262c72aa0e3400a8d0f338aa0a8ffc132d2ca6c10ef4cc6-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "de35caf2f090e3275cfd1019ea50d9662422e904fb4aebd6ea29fb53a1ad57f5"
                        },
                        "entryPoint": "coverity-availability-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check"
                    }
                },
                "results": [
                    {
                        "name": "STATUS",
                        "type": "string",
                        "value": "failed"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"2026-07-02T11:58:15+00:00\",\"note\":\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\",\"namespace\":\"default\",\"successes\":0,\"failures\":1,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:58:05Z",
                "steps": [
                    {
                        "container": "step-coverity-availability-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "coverity-availability-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bcd0744cc65649bca1463c8484e8525e5aa4af726036038886ae074e87e37cea",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:15Z",
                            "message": "[{\"key\":\"STATUS\",\"value\":\"failed\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"2026-07-02T11:58:15+00:00\\\",\\\"note\\\":\\\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":1,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:15Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image.",
                    "params": [
                        {
                            "default": "cov-license",
                            "description": "Name of secret which contains the Coverity license",
                            "name": "COV_LICENSE",
                            "type": "string"
                        },
                        {
                            "default": "auth-token-coverity-image",
                            "description": "Name of secret which contains the authentication token for pulling the Coverity image.",
                            "name": "AUTH_TOKEN_COVERITY_IMAGE",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task result output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Tekton task simple status to be later checked",
                            "name": "STATUS",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "COV_LICENSE",
                                    "value": "cov-license"
                                },
                                {
                                    "name": "AUTH_TOKEN_COVERITY_IMAGE",
                                    "value": "auth-token-coverity-image"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "coverity-availability-check",
                            "script": "#!/usr/bin/env bash\nset -eo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Checking Coverity license\nCOV_LICENSE_PATH=/etc/secrets/cov/cov-license\nif [ -f \"${COV_LICENSE_PATH}\" ] \u0026\u0026 [ -s \"${COV_LICENSE_PATH}\" ]; then\n  echo \"Coverity license detected!\"\nelse\n  echo 'No license file for Coverity was detected. Coverity scan will not be executed...'\n  echo 'Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license'\n  note=\"Task coverity-availability-check failed: No license file for Coverity was detected. Please, create a secret called 'cov-license' with a key called 'cov-license' and the value containing the Coverity license\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# Checking authentication token for downloading coverity image\nAUTH_TOKEN_COVERITY_IMAGE_PATH=/etc/secrets/auth/config.json\nif [ -f \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ] \u0026\u0026 [ -s \"${AUTH_TOKEN_COVERITY_IMAGE_PATH}\" ]; then\n  echo \"Authentication token detected!\"\nelse\n  echo 'No authentication token for downloading Coverity image detected. Coverity scan will not be executed...'\n  echo 'Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image'\n  note=\"Task coverity-availability-check failed: No authentication token for downloading Coverity image detected. Please, create an imagePullSecret named 'auth-token-coverity-image' with the authentication token for pulling the Coverity image\"\n  TEST_OUTPUT=$(make_result_json -r FAILURE -t \"$note\" -f 1)\n  echo -n \"failed\" | tee \"/tekton/results/STATUS\"\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nnote=\"Task coverity-availability-check completed: Coverity availability checks finished succesfully.\"\n# shellcheck disable=SC2034\nTEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t \"$note\")\necho -n \"success\" | tee \"/tekton/results/STATUS\"\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets/cov",
                                    "name": "cov-license",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/etc/secrets/auth/config.json",
                                    "name": "auth-token-coverity-image",
                                    "subPath": ".dockerconfigjson"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "cov-license",
                            "secret": {
                                "optional": true,
                                "secretName": "cov-license"
                            }
                        },
                        {
                            "name": "auth-token-coverity-image",
                            "secret": {
                                "optional": true,
                                "secretName": "auth-token-coverity-image"
                            }
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/6fd961fc-f720-422b-b73b-5eba10d93371",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "deprecated-base-image-check",
                    "tekton.dev/task": "deprecated-image-check"
                },
                "name": "pytd673a9cee262c72aa0e3400ab81c6e21-deprecated-base-image-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "31480",
                "uid": "6fd961fc-f720-422b-b73b-5eba10d93371"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "deprecated-image-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:21Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:21Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "pytd673a9cee262c72aa0e3400a27d146762d154b1c358427edb2d5540d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae"
                        },
                        "entryPoint": "deprecated-image-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\", \"digests\": [\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:58:20+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:58:03Z",
                "steps": [
                    {
                        "container": "step-check-images",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "check-images",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://aa79c951b01edf8f0f1544dc73258a8eabba1aa17289d930a8e291ea4ee774fc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:20Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\\\", \\\"digests\\\": [\\\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:58:20+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:10Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.",
                    "params": [
                        {
                            "default": "/project/repository/",
                            "description": "Path to directory containing Conftest policies.",
                            "name": "POLICY_DIR",
                            "type": "string"
                        },
                        {
                            "default": "required_checks",
                            "description": "Namespace for Conftest policy.",
                            "name": "POLICY_NAMESPACE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Digests of base build images.",
                            "name": "BASE_IMAGES_DIGESTS",
                            "type": "string"
                        },
                        {
                            "description": "Fully qualified image name.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "POLICY_DIR",
                                    "value": "/project/repository/"
                                },
                                {
                                    "name": "POLICY_NAMESPACE",
                                    "value": "required_checks"
                                },
                                {
                                    "name": "BASE_IMAGES_DIGESTS"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "check-images",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  while read -r arch arch_sha; do\n    SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    # Get base images from SBOM\n    cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n    if [ $? -ne 0 ]; then\n      echo \"Unable to download sbom for arch $arch.\"\n      continue\n    fi\n\n    \u003c \"${SBOM_FILE_PATH}\" jq -r '\n        if .bomFormat == \"CycloneDX\" then\n            .formulation[]?\n            | .components[]?\n            | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n            | (\n                .purl\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        else\n            .packages[]\n            | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n            | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n            | (\n                $purls | first\n                | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n              ) as $matched\n            | $matched.repository_url\n        end\n    ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"Detected base images from $arch SBOM:\"\n    cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n    echo \"\"\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n  echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n  # Get images from the parameter\n  for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n  do\n    echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n  done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n  IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n  # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n  IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n  export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n  mkdir -p ${IMAGE_REPO_PATH}\n  echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n  http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n  if [ \"$http_code\" == \"200\" ];\n  then\n    echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n    /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n    --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n    --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n    failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${failures_num}\" -gt 0 ]]; then\n      echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n    fi\n    failure_counter=$((failure_counter+failures_num))\n\n    successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n    if [[ \"${successes_num}\" -gt 0 ]]; then\n      echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n    fi\n    success_counter=$((success_counter+successes_num))\n\n  elif [ \"$http_code\" == \"404\" ];\n  then\n    echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n    warnings_counter=$((warnings_counter+1))\n  else\n    echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n    error_counter=$((error_counter+1))\n  fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n  if [[ \"${failure_counter}\" -gt 0 ]]; then\n    RES=\"FAILURE\"\n  elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n    RES=\"WARNING\"\n  elif [[ \"${success_counter}\" -eq 0 ]]; then\n    # when all counters are 0, there are no base images to check\n    note=\"Task deprecated-image-check success: No base images to check.\"\n    RES=\"SUCCESS\"\n  else\n    RES=\"SUCCESS\"\n  fi\n  TEST_OUTPUT=$(make_result_json \\\n    -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n    -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-802c3d0f8b",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/e19ed283-b3f8-4b7f-bf33-56465fc5208f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:06:53Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-co0d240930c95a99a47c3f4267213bf308-prefetch-dependencies",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "40518",
                "uid": "e19ed283-b3f8-4b7f-bf33-56465fc5208f"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afca302f19"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-wevzrw"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:07:05Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:07:05Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-co0d240930c95a99a47c1700b0cffe43783fc1761c42f47331b9-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-02T12:06:53Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b65d1d2adb879ebe54703580163b6ebafdf5729d7848fcb184d0dad26ace661a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:07:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:06:59Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93a292d3e0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/6f86a6c2-ee52-4110-b6f8-867780d4175b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:47:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-co6bc7cc7a936a86201ddb1c2b5ff519f9-prefetch-dependencies",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "22157",
                "uid": "6f86a6c2-ee52-4110-b6f8-867780d4175b"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b56dc2d206"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ypygym"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:47:37Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:47:37Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-co6bc7cc7a936a86201d16118735ebf187b06d47d0fb2136322f-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-02T11:47:26Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://1a7890b9184b2bb97aea2433e0b656434de66664983b0eb9dabdcbbab0b78865",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:47:37Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:47:31Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-67ed625b67",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/96439ec0-12dc-4b29-8362-d4c60933bfcb",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:59:37Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-coaf050c7460b8aced211cb7091ae23390-prefetch-dependencies",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "33375",
                "uid": "96439ec0-12dc-4b29-8362-d4c60933bfcb"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-6aee43a5b1"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ammwba"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:48Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:48Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-coaf050c7460b8aced211f922db1fbcb4954b179b0aa153e86a9-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-02T11:59:38Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://16ef4475baf4f5fc5d648b6463853f8e0af66d445a6a1f51e6c8a5363227a9ec",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:47Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:42Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/ef02fc0d-c5a1-4571-a827-89781ad318db",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-comp0d240930c95a99a47c3f4267213bf308-rpms-signature-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "45144",
                "uid": "ef02fc0d-c5a1-4571-a827-89781ad318db"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:12:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:12:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-comp0d240930c95a99a49921a894478b063fa58a9709975001f3-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\", \"digests\": [\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:12:41+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:10:48Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://842549a5a3e012f3f32f72604832a7c18eba7d3be9f85794a7e40701671e5eed",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:40Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://add05abd87d0ebe354433d60901d600b9d07bd40b4f48fd1366343487b56c9c2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:42Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\\\", \\\"digests\\\": [\\\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:12:41+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:12:41Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/96a252d3-c150-4940-b562-76a1d825915a",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-comp6bc7cc7a936a86201ddb1c2b5ff519f9-rpms-signature-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "26105",
                "uid": "96a252d3-c150-4940-b562-76a1d825915a"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:52:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:52:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-comp6bc7cc7a936a86209f20b6d35f252b5a05e80c17e7304b60-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\", \"digests\": [\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:52:38+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:51:30Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9e41ddce058ab02cb0fd1d2dd496c400712a1c5fa504336ad4b0efa6a20bc3f4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:37Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://737c291d19645b03d35f94df274f3ab434568acedc5ed3080652d67ee6d58615",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:39Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\\\", \\\"digests\\\": [\\\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:52:38+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:52:38Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/020a6050-0381-4194-b070-5dd5b7cd42e7",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:04:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-compaf050c7460b8aced211cb7091ae23390-rpms-signature-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "38679",
                "uid": "020a6050-0381-4194-b070-5dd5b7cd42e7"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:05:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:05:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compaf050c7460b8aced93d9eb9e685acd0c6a1d9915bfbdc1e2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\", \"digests\": [\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:05:28+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:04:07Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://632a2b42bbe2cac66626943c47a18e69ccc281c983896d9a9a0559bbaefa2528",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:27Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a0fee61a3549f4020c490833558ab70141a6ea1f169898e6d5dd1aa4ebb77f11",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:29Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\\\", \\\"digests\\\": [\\\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:05:28+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:05:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-802c3d0f8b",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/f3b5f7f6-1790-47ac-a688-76fcfaaa19ff",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-compo0d240930c95a99a47c3f4267213bf308-sast-unicode-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "44193",
                "uid": "f3b5f7f6-1790-47ac-a688-76fcfaaa19ff"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afca302f19"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:11:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:11:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compo0d240930c95a99a22d14fe754979cfbf0877f1da7c51473-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:11:45+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:10:45Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://827b4aa98efe49aa348a4c80f202792f6aab4b4d06296c59724e23609cdb5453",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:45Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:11:45+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4f33da7a58477a99bc267dcbb410cbff4dcbea35e29ae8bf6b887921928855f0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:47Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:11:45+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93a292d3e0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/c1d35b9e-bc29-4f0f-911e-7651bd6825cf",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-compo6bc7cc7a936a86201ddb1c2b5ff519f9-sast-unicode-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "25487",
                "uid": "c1d35b9e-bc29-4f0f-911e-7651bd6825cf"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b56dc2d206"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:51:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:51:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compo6bc7cc7a936a862d6bc18b681204581a12dac74b9fe2e01-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:51:44+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:51:28Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4b91eb4f841be855dc67576214cd5d584a13a50f1dcee9dd7ea3e2c1e3eecf84",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:44Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:51:44+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://20bd498612283d7de1e34ec3c422334c99c9c2428c1ca946695096fc726d04e5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:51:44+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-67ed625b67",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/3d880dad-233b-4749-a679-01518b772ffb",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:59Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-compoaf050c7460b8aced211cb7091ae23390-sast-unicode-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "38091",
                "uid": "3d880dad-233b-4749-a679-01518b772ffb"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-6aee43a5b1"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:04:37Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:04:37Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-compoaf050c7460b8ace3143b28adc9dbf56eed8cdb142f4d910-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:04:35+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:04:04Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://55f25c23186a7532b78c6eb0954b1f39da69aa54e0e765042ffb25405b868df2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:35Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:04:35+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://729c7be53e2c27be1be22e1284fe610adc33b5db59cdc017780337921e3b38ef",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:37Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:04:35+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:35Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/cdba77f0-e04a-4728-b7c0-313e51d2caed",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:04:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-apply-tags",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "37809",
                "uid": "cdba77f0-e04a-4728-b7c0-313e51d2caed"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:04:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:04:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-8nqvb-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-02T12:04:05Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ca68061af860cb19b8336167e3236f3e2bb9469a7d48e0ac081a9b29d34efdf2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:28Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:27Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                                "--digest",
                                "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-67ed625b67",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/3e3101fe-848d-4ed6-a99c-a4393e27af58",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:59:51Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-build-container",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "36336",
                "uid": "3e3101fe-848d-4ed6-a99c-a4393e27af58"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-6aee43a5b1"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:03:28Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:03:28Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-49f00b8be2a4d2652f49793049b9accd-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:8aeafe814b90e86286b7bbbf338a34be56bc01831973f000b15783f85ae058f9"
                    }
                ],
                "startTime": "2026-07-02T11:59:51Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b567b7333cfa621daaacec8faa011a6bfd6e254d82e9cd039c624325ce612e4f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:00:47Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:58Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2f4a997609a00c8307092f0c0d0d06ba88f6ada897c81328408f1a0aacefdbb5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:01:39Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:00:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ce4ae31fdc83e46ab583b900f99ba2dd2d7b455aa52a5d4f0360627da12bed85",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:11Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:01:40Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e72d60a144efcd82f6c0d2dc94a1f3b4a20ae6fbb01f00ee69bbe1cc98c41558",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:02:45Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://614f69110d366ce6f9cbb14fafd4a7ea9e9ed5ddb7830873ac281b06f7264638",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:27Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:8aeafe814b90e86286b7bbbf338a34be56bc01831973f000b15783f85ae058f9\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:02:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-6fif5m-on-pull-request-8nqvb-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/84ec7e50-910f-4427-97f7-90c2820b7125",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:29Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-build-image-index",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "37385",
                "uid": "84ec7e50-910f-4427-97f7-90c2820b7125"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:03:57Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:03:57Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-94ad75e0983977149f594a2b7b9e2bff-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    }
                ],
                "startTime": "2026-07-02T12:03:30Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a20a46166a061fba567590a85200c8a2750d13b83bbdbcc02e029231bf1ffdf0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:45Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://511878b26925a1bcb6c62c633b00ec48e5a4686bcb2c90cac22a98ac149e1d34",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:47Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:46Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f5d81dac4a20070baa41ac57a39117ae95d63a18975f12b69c164b0824e5a10e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:03:52Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:03:47Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b@sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-6fif5m-on-pull-request-8nqvb-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-6fif5m-on-pull-request-8nqvb-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/27b286c4-b3d3-4378-a350-84eecd2b43f6",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:58Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-clair-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "39313",
                "uid": "27b286c4-b3d3-4378-a350-84eecd2b43f6"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:05:55Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:05:55Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-8nqvb-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\", \"digests\": [\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\":\"sha256:94b8b07a47e925f5c53dbf1977fc927926be667007ef98be66e516e3e8e43f7c\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:05:53+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:03:58Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b8afd355833e7489f23f0c33e5c64e36b6dbc57dafc2af1acd4e920d47b3c097",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:39Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://28b94d779bbf19b7070649e8badccfd4c9593bdfa16d0ca0ed7111a986d1dbbd",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:14Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:39Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://82ead30253e3703d32456b123c12bdc05ceffb128213554f99428e180a0e75f2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:17Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:05:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://eae300ebdd2cc6671d00a61e1a8aca41dd4c49a92a5ffd13a578f29ac55066a2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:54Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\\\", \\\"digests\\\": [\\\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\\\":\\\"sha256:94b8b07a47e925f5c53dbf1977fc927926be667007ef98be66e516e3e8e43f7c\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:05:53+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:05:18Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/0140afca-bbf8-49dd-b802-4729b2b5c8b4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:59Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-clamav-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "38872",
                "uid": "0140afca-bbf8-49dd-b802-4729b2b5c8b4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:05:48Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:05:48Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-8nqvb-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\", \"digests\": [\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782993945\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-02T12:04:02Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:51306b4d971e7c1fa2bd1a055b4727dcd33ca920b9899642aba57bf79237fa93",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4b6253a6082a9388707861893d85624e34924dbac6bb3dad05e00597ca3866c6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:45Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\\\", \\\"digests\\\": [\\\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993945\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ef07801ab4bbb7e75c72c3ddaf5fd2db5c5a25e6b46640fb6f2ec156bf8479f0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:48Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\\\", \\\"digests\\\": [\\\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993945\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:05:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-67ed625b67",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/457a4e52-7406-4eaf-be88-0d82bf1caed2",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:59:27Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-clone-repository",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "32745",
                "uid": "457a4e52-7406-4eaf-be88-0d82bf1caed2"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-6aee43a5b1"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ammwba"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:35Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:35Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-c9d10b95380b8ea97574366993a0dbaa-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782993525"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "d4cdb5b"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-02T11:59:27Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3acf7b05636d476379fa9df1754c0703d6641378ff02bb2c9fec4ffb33979de7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:33Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993525\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"d4cdb5b\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://03f217f1d223b0656cdf50d0400d63f26623564ff87df93dc1093392a9409d3d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:34Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993525\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"d4cdb5b\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:34Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/13cae9da-f8cc-475e-bae1-1a2579f0bdcb",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:59:19Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-init",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "32482",
                "uid": "13cae9da-f8cc-475e-bae1-1a2579f0bdcb"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-8nqvb-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-02T11:59:19Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://daede1ff0e29a1e5859ad47e2a3bcb4c8efe7b449b50217a086ed909c571cf59",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:24Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:23Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-67ed625b67",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/fbd3b747-54e8-4a7d-b4d1-3ca1fc48852d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:04:00Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-push-dockerfile",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "37825",
                "uid": "fbd3b747-54e8-4a7d-b4d1-3ca1fc48852d"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-6aee43a5b1"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:04:32Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:04:32Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-af0f69f7e4bdf7612a723948af2f1b0d-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:1c230ff3218f80f7985ce3854397a4d8421040864de0e24cbad97620369c48ef"
                    }
                ],
                "startTime": "2026-07-02T12:04:06Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8340a72cfbcff4c39ab363663c8006127b4923c5cd871d1711ccdd813d3fcae8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:30Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:1c230ff3218f80f7985ce3854397a4d8421040864de0e24cbad97620369c48ef\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:30Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                                "--image-digest",
                                "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-67ed625b67",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/8218a7f4-3eb4-4315-b85f-8d01912f920c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:59Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-sast-shell-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "38087",
                "uid": "8218a7f4-3eb4-4315-b85f-8d01912f920c"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-6aee43a5b1"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:04:40Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:04:40Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-1ca08c9d52d06201bad26fbe8714dc66-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:04:35+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:04:03Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://bc97286c54cf0984aae3f6e5e78210d08ce3983a43bb98bc2f63c264ddbb55e3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:35Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:04:35+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://91768d6547ed5b3d17ce2b71d1646fa3cfd7efa5e089d4fea95fe33a6fe4ade2",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:39Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:04:35+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:36Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-67ed625b67",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/5450ddd2-ceac-44fe-ae63-ecac53a05721",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:58Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-8nqvb-sast-snyk-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "38027",
                "uid": "5450ddd2-ceac-44fe-ae63-ecac53a05721"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-6aee43a5b1"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:04:36Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:04:36Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-26cb57b043cd631537c5853dd1257dce-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T12:04:35+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:04:00Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3143f7aaff84e584d2d2095651a0957ca74d2e6278e698ea20282bd9f12a1381",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:35Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:04:35+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c248bea5fb054656e509f3e0f2aa29c30a03a9971169f4f8355ca4cdbb71a6c9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:36Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:04:35+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:36Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/e52a06f6-56fa-497f-8c5c-ee6534fed6db",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-apply-tags",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "43977",
                "uid": "e52a06f6-56fa-497f-8c5c-ee6534fed6db"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:11:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:11:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-p2h7h-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-02T12:10:46Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2eed411719737f153710b77a9f5b62d0eb967563d742914b89b72bce16ccb659",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:27Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411",
                                "--digest",
                                "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-802c3d0f8b",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/c340754a-ef6e-4661-934b-921b12b9cb50",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:07:05Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-build-container",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "42209",
                "uid": "c340754a-ef6e-4661-934b-921b12b9cb50"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afca302f19"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:10:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:10:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-fab476fbe29ee1fa906624ba1a7c5a07-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:f46219fb4f24582ba7cbb73db4d19e4dc08c23a33b044458bec0fda12edcb1e1"
                    }
                ],
                "startTime": "2026-07-02T12:07:05Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a69cda2be3f0f93cdee03f1735dd3fa6cefa07128294963d8d0ca16a3e89b2dc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:07:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:07:12Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5475e21dee79e4d4bf3caaddc3317631b1eaeaac46d565413141c7cdc08d96a4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:08:41Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:07:44Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a36f80e2d9c8fb74d99d5dc6be73c524379b54b80d3452adae95ab0916d98720",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:09:13Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:08:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6b6ba6e4e2f1d3d731df66c2d526f556203062eb4d87f94acc41637302dd5e56",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:09:44Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:09:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c7f84143c451b5ce3a4bd63424ae0edab0e0d51e97a3ffbd1788eb85598311f1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:10:24Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:f46219fb4f24582ba7cbb73db4d19e4dc08c23a33b044458bec0fda12edcb1e1\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:09:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-6fif5m-on-pull-request-p2h7h-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/ab527f56-8519-4d03-a3ca-3d1399bd5496",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:25Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-build-image-index",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "43221",
                "uid": "ab527f56-8519-4d03-a3ca-3d1399bd5496"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:10:40Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:10:40Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-0d32eaeb7cdc96f428a5aa153a5b03e2-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    }
                ],
                "startTime": "2026-07-02T12:10:25Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b900b4d832468fc71e2e9ec9f6a5ad83d0bfcfa97bc67ac998208b25bdd725f1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:10:32Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:10:29Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6d3caba7766022d4f27265aca0671263c225dd8cfa6c95556b7ea642ad51a3b5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:10:33Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:10:33Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://115a95a9496155356b5c2ab9e6b5a64b977506e2134b3fded7752fbdd79534ef",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:10:39Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:10:33Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "7705e62986c83b49dab82b88455e8ec95577f411"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411@sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-6fif5m-on-pull-request-p2h7h-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-6fif5m-on-pull-request-p2h7h-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/dce74677-456f-4ea4-954e-2b58c4e083f8",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-clair-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "45252",
                "uid": "dce74677-456f-4ea4-954e-2b58c4e083f8"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:12:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:12:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-p2h7h-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\", \"digests\": [\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\":\"sha256:e26be946b907c6269c3243988b82ce19829255c34c2412db2c3e0d9d528a5d34\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:12:43+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:10:41Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d68123546e1129723340ca1028f96d357fa8cae381a8e3bf7a27e5c8500972a4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:15Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:08Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://22c3776be9651ca6ee382853cbe68e334b48d3ae93e67f2738168096af5172fb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:04Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:15Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3912431cd39b01afcea35fed4e757b55f03fa5fafbb543c231fe2483c637eec4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:07Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:12:04Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://883c53a42dc689b1a2d059ec54a8008840f9dd3266c3cb6bf0825cd102cc247e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:43Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\\\", \\\"digests\\\": [\\\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\\\":\\\"sha256:e26be946b907c6269c3243988b82ce19829255c34c2412db2c3e0d9d528a5d34\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:12:43+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:12:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/a8511a8b-3cf7-4b67-af15-020f43086011",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-clamav-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "45105",
                "uid": "a8511a8b-3cf7-4b67-af15-020f43086011"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:12:42Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:12:42Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-p2h7h-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\", \"digests\": [\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782994358\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-02T12:10:43Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:51306b4d971e7c1fa2bd1a055b4727dcd33ca920b9899642aba57bf79237fa93",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6c3ef98c0b14b434c4c670688426e9aab64289afe1edb9ebde0cf42753fec7bf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:38Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\\\", \\\"digests\\\": [\\\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782994358\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://850ee40e8afea2d70c31ad1757291b4badba41a0b4720c700dfadf6dc37df93e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:41Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\\\", \\\"digests\\\": [\\\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782994358\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:12:38Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-802c3d0f8b",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/d4a8b12d-0376-45cb-8906-764a9184eb92",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:06:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-clone-repository",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "40172",
                "uid": "d4a8b12d-0376-45cb-8906-764a9184eb92"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "7705e62986c83b49dab82b88455e8ec95577f411"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afca302f19"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-wevzrw"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:06:50Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:06:50Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-802a6834d95be2fa9f66b84dfdf1e3ac-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782993969"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "7705e62"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-02T12:06:43Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a193d44aaf215cb071f9c007d257a288e88f1a70987478f250b0a048c82a16bb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:06:48Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993969\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"7705e62\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:06:48Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b28bd60b6b8b8ca5bb62f0635de088a41f8a27c5e7c0360aa6218b194445bef5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:06:49Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993969\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"7705e62\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:06:49Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/245175be-c139-484c-ade8-e8824f2b1cfb",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:06:35Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-init",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "40133",
                "uid": "245175be-c139-484c-ade8-e8824f2b1cfb"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:06:38Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:06:38Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-p2h7h-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-02T12:06:36Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://38ddd7223dfe39f1bfeaee590e1027d1e683d15b09e08b62ef733b7cc0c195e9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:06:38Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:06:38Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-802c3d0f8b",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/c6c75b80-6fa5-46ff-b630-95b7d97d28e2",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-push-dockerfile",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "43996",
                "uid": "c6c75b80-6fa5-46ff-b630-95b7d97d28e2"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afca302f19"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:11:44Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:11:44Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-4f23f60da1443e36b9c8714db7a92dfd-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:fdc9c9f71d84059d32d27b61cf53f13d16645674eb506c91e222b1a9cfb71ae2"
                    }
                ],
                "startTime": "2026-07-02T12:10:46Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://de881baa07731bff176c3a6fd7db7c69a7217be44a48403b63ed91f68b2df8e7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:43Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:fdc9c9f71d84059d32d27b61cf53f13d16645674eb506c91e222b1a9cfb71ae2\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:42Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411",
                                "--image-digest",
                                "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-802c3d0f8b",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/2b637834-c9af-4f38-b1f9-294fdc359ddc",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:42Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-sast-shell-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "44173",
                "uid": "2b637834-c9af-4f38-b1f9-294fdc359ddc"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afca302f19"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:11:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:11:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-b630f9d847e3dae37a280a7390947e44-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T12:11:45+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:10:44Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://377f3d4a22ae78ad35adb98aa6efa7c846664ff84a770a51474d3fb0bb0337ae",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:45Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:11:45+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://803f1880c7b39a0059270b051947107888a140128b1ca7e879de8536fa31a0eb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:46Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T12:11:45+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-802c3d0f8b",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/8c586176-8142-4f40-8072-c185f75365b3",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull-request-p2h7h-sast-snyk-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "44115",
                "uid": "8c586176-8142-4f40-8072-c185f75365b3"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-afca302f19"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:11:39Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:11:39Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-ae786609589778c69aa3fd6193ff642e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T12:11:29+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T12:10:43Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://67aa4bbb632622ad23eaa115d20e6cb712e7243b2cdbb0ff6d1a5e7dfc15ced7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:29Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:11:29+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:28Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a994ba58c752850b06d172a831f2e82d3ac21ed6ca25baacdba59be998232f98",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:30Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T12:11:29+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:30Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/9d83c3ab-21f4-4858-93d0-029759aed800",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-apply-tags",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "25503",
                "uid": "9d83c3ab-21f4-4858-93d0-029759aed800"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:51:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:51:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-wbpv6-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-02T11:51:29Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2c9f8b926e633b4d72f0c1be94f0d181fc9b8baf2c0c8540760d73643f875289",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:44Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:42Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                                "--digest",
                                "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93a292d3e0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/08ab261e-71e4-470f-bf8a-cf4bed99e001",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:47:39Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-build-container",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "24577",
                "uid": "08ab261e-71e4-470f-bf8a-cf4bed99e001"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b56dc2d206"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:50:59Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:50:59Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-859225525192af4ee698adc50f218b14-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:f6facb9bbec1081f5b6d6217ddf570964a3f2574f51b58d00eabbe2bf1370ae5"
                    }
                ],
                "startTime": "2026-07-02T11:47:39Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c8cb534916df2d10ecdd1833fd350d5db221af765ce8b1982d2c143a7436a611",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:48:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:47:45Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://58444a89f592513dab0e2fb915289c7d44db08ffa8646434a9f3cff0ce9febe5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:49:17Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:48:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f5be52e21e3f4930e3366d7f9518f402f5b108413999130480ce6161a408d584",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:49:48Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:49:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://52da13478bd508627d263849b2ebaf2f99032c2fe50e26f2ab7aec4a252d6c2d",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:50:19Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:49:49Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://97e7f356569f2468ce1a5287e7e9575e53ba10114eb91f32620b509bb8a37b7a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:50:58Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:f6facb9bbec1081f5b6d6217ddf570964a3f2574f51b58d00eabbe2bf1370ae5\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:50:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER",
                                "value": "5d"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-6fif5m-on-pull-request-wbpv6-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/21bc77b4-0629-4fc0-acbc-c23e88fe7576",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:50:59Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-build-image-index",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "24937",
                "uid": "21bc77b4-0629-4fc0-acbc-c23e88fe7576"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": "5d"
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:51:25Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:51:25Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-9227539ee3b33ce063d46c41d328233b-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    }
                ],
                "startTime": "2026-07-02T11:50:59Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c66b5d19dc93d7accb8766135ffdba9c8a5c65a5d406d03aee9b68b91af1ce08",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:10Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:06Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c46a58aa11c982f64c33fc8182deaa12b7b32862e4fc6db26e2fcde3941f34e8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:11Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:10Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://8cbc534896df367e37f75b1b07ddf00067b99ea19b5e478163048cf901d14c81",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:18Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:11Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c@sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-6fif5m-on-pull-request-wbpv6-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-6fif5m-on-pull-request-wbpv6-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/e87fd4af-b466-4240-aa42-c12a364351d4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-clair-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "26427",
                "uid": "e87fd4af-b466-4240-aa42-c12a364351d4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:53:05Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:53:05Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-wbpv6-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\", \"digests\": [\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\":\"sha256:4d3b8e553dbc4ba564c3bc6c8f5fb9bb0f64d5d36de8ad549ed2d0b36fa8ddda\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:53:04+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:51:26Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a865c095881f48ee1149fb8f69a30d0dabfcd0721b0386763a32f16ed1588cf6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:50Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3858a6d56bb7eac29bc2ca285eebcdaf9c2b1f04f0399b61e346336ad225af13",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:50Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6bfc73b2281f2c986748217ceeaa803d7e91837d74896deb34bdc74b94df499a",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:29Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:52:26Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4ee3e06471fe9555765eedd501eaabe98849ec014cde52c5ca5eb7e6225e7e8c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:53:05Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\\\", \\\"digests\\\": [\\\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\\\":\\\"sha256:4d3b8e553dbc4ba564c3bc6c8f5fb9bb0f64d5d36de8ad549ed2d0b36fa8ddda\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:53:04+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:52:29Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/64ba33b6-0cb6-48f1-8f63-b03934ded2ec",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-clamav-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "26284",
                "uid": "64ba33b6-0cb6-48f1-8f63-b03934ded2ec"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:52:59Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:52:59Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-wbpv6-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\", \"digests\": [\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782993175\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-02T11:51:27Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:51306b4d971e7c1fa2bd1a055b4727dcd33ca920b9899642aba57bf79237fa93",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://dd76f7e8bd384ddf50e26fd456780bda9b2480da5f6bb8e86646d9952c90d453",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:55Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\\\", \\\"digests\\\": [\\\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993175\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://eb3f84ab9d43daad2d3b90971c734a8537b6113ffa0e2e88bc1e1aacfde35a22",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:59Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\\\", \\\"digests\\\": [\\\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993175\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:52:56Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93a292d3e0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/b137d083-297d-4a65-9bb9-6ac2c7c3119e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:47:18Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-clone-repository",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "21928",
                "uid": "b137d083-297d-4a65-9bb9-6ac2c7c3119e"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b56dc2d206"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-ypygym"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:47:24Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:47:24Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-922f8876c9a858c06437eb10048de734-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782992804"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "ec44ffb"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-02T11:47:19Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://29df5d79d3b7fbc81e69514a9d81dbd35573c31277b4eead7a64d83c9aeb8250",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:47:23Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782992804\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"ec44ffb\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:47:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d8bceaedc2076d58f5539b6b4504c3e2538056ce2deb085442c83a5d2e23f6c6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:47:23Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782992804\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"ec44ffb\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:47:23Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/7760425b-7ee4-44a2-9d17-797d06b77575",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:47:10Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-init",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "21800",
                "uid": "7760425b-7ee4-44a2-9d17-797d06b77575"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:47:15Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:47:15Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-pull-request-wbpv6-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-02T11:47:11Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5db8ac879916744bae974d337f8b1483b9fdc9920a7152696ec2e757c8c3e086",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:47:14Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:47:14Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93a292d3e0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/c640a5f5-ddb3-42bc-b6f2-dbd0a4ae09ee",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-push-dockerfile",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "25504",
                "uid": "c640a5f5-ddb3-42bc-b6f2-dbd0a4ae09ee"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b56dc2d206"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:51:46Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:51:46Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-1dd3d5c0180b1d4781bdf90c1cfdf015-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:18d6120a039d22892469933ae58f127c4a0a9d45ffb49cb4c3df98986b3b8912"
                    }
                ],
                "startTime": "2026-07-02T11:51:29Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9f3a2224950275043bc4d192bcc8c7f73452aef1d2ae742c24c5648bd6f4f2da",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:46Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:18d6120a039d22892469933ae58f127c4a0a9d45ffb49cb4c3df98986b3b8912\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:43Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                                "--image-digest",
                                "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93a292d3e0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/8a96f574-1fea-4771-9d24-62d0b768bbbf",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-sast-shell-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "25485",
                "uid": "8a96f574-1fea-4771-9d24-62d0b768bbbf"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b56dc2d206"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:51:48Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:51:48Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-dbc091a6b9430e4b3f21fdf439c1efb1-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:51:45+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:51:28Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://7672c54fe8ec9d59e8ceb088448599993d81e0142d113f7bb378a4ccab12c8bc",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:45Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:51:45+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:43Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2d693ea0c4650f495b805a1b4811bf5f9562376a30966cf2a29a074cd315f0fe",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:47Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:51:45+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:45Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-93a292d3e0",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/fa4c7052-0ae3-4896-a107-7b691941d6f4",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pull-request-wbpv6-sast-snyk-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "25417",
                "uid": "fa4c7052-0ae3-4896-a107-7b691941d6f4"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-b56dc2d206"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:51:45Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:51:45Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-bc946cd340b73cdfc6218e2612a4d142-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T11:51:44+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:51:26Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://4e8e84a917bff07feda73585d810eace7855d78ece7922e2e4341d6c5bc70818",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:44Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T11:51:44+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3d2db58dd7a3c417049734b6eb729108d8809b237580be84a06150ffb07601a1",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:44Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T11:51:44+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:44Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/commit_sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ammwba",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-8nqvb",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8/records/4ad5bd19-9382-44ba-b5c5-d29462cd8865",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6p5dm is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:03:58Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84765073631",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-8nqvb",
                    "tekton.dev/pipelineRunUID": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull31a36e5eaeace7df2b04265fe35e2f04",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-8nqvb",
                        "uid": "cd62e326-bc29-4ad1-b5de-cc2480fa35f8"
                    }
                ],
                "resourceVersion": "38800",
                "uid": "4ad5bd19-9382-44ba-b5c5-d29462cd8865"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:05:47Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:05:47Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-3fa7e3ac5c5727d4ea1f88df5092ab86-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\", \"digests\": [\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993946\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:04:00Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://9985f82b3816340d797478393e5ee1c3d3cac83677c999916575e697d2ce12cf",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:36Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:34Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://8852119dc8ddcf29b94161fe91c4231f0cefb73d67896b0b0c5e6b356ff0c270",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:36Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:36Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://55a9643f9dbe0d86f4595d49846b81b2ffbe9ddcc575c426664dd7eb7911e854",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:04:37Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:37Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://66a2b8604924181a763e20a8b6a5be3b06b2a4dfb0ca7738760e0ae544f6b300",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:45Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:04:37Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\", \"digests\": [\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993946\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://4fe6b2bbb56398c36a03f297fac04d6233c42db8bf39d3fa138d1c59ecf115c4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:46Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b\\\", \\\"digests\\\": [\\\"sha256:6f9bf680f5d8976096a4b8ea4e29e865f6a80cde5bab8b943afcdb8a85dfa61f\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993946\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:05:46Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993946\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://3a828dd2203e1f2e315e10c219207fcfc9e727ab0ee9fd94376d4c9b737c3765",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:05:46Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993946\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:05:46Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-d4cdb5b1c241e69f677d20bc0e997f3e097d9c2b"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/commit_sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "build.appstudio.redhat.com/pull_request_number": "22765",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wevzrw",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-p2h7h",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/sha-title": "e2e test commit message",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/source-branch": "pr-branch-hpj321",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089/records/749a84dc-33c9-485e-8904-712d57c92ae1",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"7705e62986c83b49dab82b88455e8ec95577f411\",\"eventType\":\"pull_request\",\"pull_request-id\":22765}",
                    "results.tekton.dev/result": "group-r73r/results/c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/create-groupsnapshot-status": "a new build PLR go-component-pwrvk0-on-pull-request-6hwd6 is running for component go-component-pwrvk0, waiting for it to create a new group Snapshot for PR group pr-branch-hpj321",
                    "test.appstudio.openshift.io/pr-group": "pr-branch-hpj321",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T12:10:41Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84766520854",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22765",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "7705e62986c83b49dab82b88455e8ec95577f411",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-p2h7h",
                    "tekton.dev/pipelineRunUID": "c40ed468-8b85-4fa2-849a-6ae88f2ca089",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "443760e89c3acb314936969e84965b9bfe77306b97849d29da73b667602893"
                },
                "name": "python-component-6fif5m-on-pull68f67312811724c2aec8fda1c0588c96",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-p2h7h",
                        "uid": "c40ed468-8b85-4fa2-849a-6ae88f2ca089"
                    }
                ],
                "resourceVersion": "44534",
                "uid": "749a84dc-33c9-485e-8904-712d57c92ae1"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T12:12:27Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T12:12:27Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-ffda13cd929d44dda12409a7fa10d65e-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\", \"digests\": [\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782994345\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T12:10:42Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://777bf1af7e38c60004cbf531fb5fbb885a4d3f23ccda3f812a590518da4e3837",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:18Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:11Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://86852c73788c66bd3221314dcf3719aacf9ff52e8eca6d40d75444e644ef640b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:18Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:14Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6e8d5d0cde285767b89cac6f45884a57c54f2ce2725fce1d81033e30d624ca69",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:11:15Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:14Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://15121261c9733e09fb1795ef21862252659028fcc393babb10fb5228170999c0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:25Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:11:15Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\", \"digests\": [\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782994345\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://73197d2de99609ade7dae9e60b54ebb1530a29a1ab0920716e614e60dc0febce",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:26Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411\\\", \\\"digests\\\": [\\\"sha256:74fe9b5f3ed37f5f9c731b6c4eb783e4e2871e9b1931e4aa57623e7b69fa4696\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782994345\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:12:25Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782994345\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://eff2d793951bbde3c856e31da85617e69789ee7c37d179bdc9c033f6b7c971f5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T12:12:26Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782994345\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T12:12:26Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-7705e62986c83b49dab82b88455e8ec95577f411"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/commit_sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "build.appstudio.redhat.com/pull_request_number": "22764",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ypygym",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-pull-request-wbpv6",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-pull-request.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-6fif5m",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4/records/6f33ccd1-d95d-40c9-ad68-3a6f40a46eeb",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"ec44ffbc0c5598ba17117d26b5562f0fb275710c\",\"eventType\":\"pull_request\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-group": "konflux-python-component-6fif5m",
                    "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed"
                },
                "creationTimestamp": "2026-07-02T11:51:26Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "true",
                    "pipelinesascode.tekton.dev/check-run-id": "84762817620",
                    "pipelinesascode.tekton.dev/event-type": "pull_request",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-pull-request",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "ec44ffbc0c5598ba17117d26b5562f0fb275710c",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-pull-request-wbpv6",
                    "tekton.dev/pipelineRunUID": "0eb86332-163e-412e-ae6b-cb4bd354c8a4",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks",
                    "test.appstudio.openshift.io/pr-group-sha": "fd66cde0805e19cbd9b5884b85b639a30fb4757b4422719e277ec8c564669f"
                },
                "name": "python-component-6fif5m-on-pullbb3d0bd0aca79558f98f1aa3d1215285",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-pull-request-wbpv6",
                        "uid": "0eb86332-163e-412e-ae6b-cb4bd354c8a4"
                    }
                ],
                "resourceVersion": "26272",
                "uid": "6f33ccd1-d95d-40c9-ad68-3a6f40a46eeb"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:52:54Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:52:54Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-e6d637fdd5dc54e513d6c7557cae1887-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\", \"digests\": [\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993173\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T11:51:26Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://16c1d4e273026fb3741321e02a99904f7abbd3f7414311665833c699ffc685e4",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:44Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:42Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://f5a996cff02c9a85a9eac52dd9a77ffab0d738ddb76f8be507b1dc9c0cfd400f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:45Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:45Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a850493b967d043dfa4be054e6fc3c8133a8767653ff1516feaca6f67ffae774",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:51:45Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:45Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://507b59d1f19a2204aaccebdb09ba4007e1a609d7f778818c2550b869ae5c3e90",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:53Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:51:46Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\", \"digests\": [\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993173\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://3cff208f1074b339a47d1305dc30c322f009786e3df83aa6d2e1aef715e0f655",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:53Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c\\\", \\\"digests\\\": [\\\"sha256:d969459894b257f44e95a330fe880d524ab11be49ea4b5bd729fe5a5776dc553\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993173\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:52:53Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993173\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://5178826d95b088d94837f35822f06fa467e052ac91f6302cb7603eb4ed7925f3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:52:54Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993173\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:52:54Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:on-pr-ec44ffbc0c5598ba17117d26b5562f0fb275710c"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/1e8c47f4-18ee-47cf-9edf-cfb0750f6655",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "apply-tags",
                    "tekton.dev/task": "apply-tags"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-apply-tags",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "31324",
                "uid": "1e8c47f4-18ee-47cf-9edf-cfb0750f6655"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE_URL",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "apply-tags"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:17Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:17Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-apply-tags-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "aa62b41861c09e2e59c69cc6e9a1f740bf0c81e6a1eb03f57f59dfda0f65840e"
                        },
                        "entryPoint": "apply-tags",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags"
                    }
                },
                "startTime": "2026-07-02T11:58:06Z",
                "steps": [
                    {
                        "container": "step-apply-additional-tags",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                        "name": "apply-additional-tags",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://15f9ee4dff4add34425df12a75da1659a2133b0021f68c0f7f83e09507ec921e",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:16Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:15Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Applies additional tags to the built image.",
                    "params": [
                        {
                            "description": "Image repository and tag reference of the the built image.",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image digest of the built image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional tags that will be applied to the image in the registry.",
                            "name": "ADDITIONAL_TAGS",
                            "type": "array"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                                "--digest",
                                "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384",
                                "--tags",
                                "--tags-from-image-label",
                                "konflux.additional-tags"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "apply-tags"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:731f87170f764c8a234d2c552990a298abad8b80f05926dab393d6ca89ffcbd2",
                            "name": "apply-additional-tags"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f4d305abd3",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/a53d9baf-c786-4878-80bd-fca8f9091468",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:54:33Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "build-container",
                    "tekton.dev/task": "buildah"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-build-container",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "30538",
                "uid": "a53d9baf-c786-4878-80bd-fca8f9091468"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    },
                    {
                        "name": "HERMETIC",
                        "value": "false"
                    },
                    {
                        "name": "PREFETCH_INPUT",
                        "value": ""
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "BUILD_ARGS",
                        "value": []
                    },
                    {
                        "name": "BUILD_ARGS_FILE",
                        "value": ""
                    },
                    {
                        "name": "PRIVILEGED_NESTED",
                        "value": "false"
                    },
                    {
                        "name": "SOURCE_URL",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    },
                    {
                        "name": "HTTP_PROXY",
                        "value": ""
                    },
                    {
                        "name": "NO_PROXY",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "buildah"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-buildah:0.9@sha256:b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-123913ed6e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:57:50Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:57:50Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-build-container-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b68244eb0d68eff71861384ae73f5e93b11fd3da77a0381f14fb52604310d8c5"
                        },
                        "entryPoint": "buildah",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "SBOM_BLOB_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:ab890aee0ea680dd2f15ff5ac6422b94f052b07fbcb9554d4d8534489470f799"
                    }
                ],
                "startTime": "2026-07-02T11:54:33Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://d6466828780f7a828de96b900d4d1b004d4f185ed4fdda76b676154c89d5b720",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:55:09Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:41Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://2732fe6c4b9e4f6a7c4efd11b671aacc8bd3d200e782bf642f4690c077ece045",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:56:02Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:55:10Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-sbom-syft-generate",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "sbom-syft-generate",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://5ef880f6c4c6c1ba20463ef1d6ca0bac53312a128aa98518386d3a146a0fb820",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:56:34Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:56:03Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-prepare-sboms",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "prepare-sboms",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ee950456d3e6f6828ae8165a59d868bc928b101a2174fbb81ca764fbefb810a5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:07Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:56:35Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://883368d146c858aa5af5e5cfab7858e8d9fef5f9c6e113b00eb316ccc310bb35",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:47Z",
                            "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:ab890aee0ea680dd2f15ff5ac6422b94f052b07fbcb9554d4d8534489470f799\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.",
                    "params": [
                        {
                            "description": "Reference of the image buildah will produce.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile to build.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Determines if build will be executed without network access.",
                            "name": "HERMETIC",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "In case it is not empty, the prefetched content should be made available to the build.",
                            "name": "PREFETCH_INPUT",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this commit.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "default": "repos.d",
                            "description": "Path in the git repository in which yum repository files are stored",
                            "name": "YUM_REPOS_D_SRC",
                            "type": "string"
                        },
                        {
                            "default": "fetched.repos.d",
                            "description": "Path in source workspace where dynamically-fetched repos are present",
                            "name": "YUM_REPOS_D_FETCHED",
                            "type": "string"
                        },
                        {
                            "default": "/etc/yum.repos.d",
                            "description": "Target path on the container in which yum repository files should be made available",
                            "name": "YUM_REPOS_D_TARGET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.",
                            "name": "TARGET_STAGE",
                            "type": "string"
                        },
                        {
                            "default": "etc-pki-entitlement",
                            "description": "Name of secret which contains the entitlement certificates",
                            "name": "ENTITLEMENT_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        },
                        {
                            "default": "does-not-exist",
                            "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET",
                            "name": "ADDITIONAL_SECRET",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Array of --build-arg values (\"arg=value\" strings)",
                            "name": "BUILD_ARGS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Array of --env values (\"env=value\" strings)",
                            "name": "ENV_VARS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file",
                            "name": "BUILD_ARGS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection",
                            "name": "ICM_KEEP_COMPAT_LOCATION",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of extra capabilities to add when running 'buildah build'",
                            "name": "ADD_CAPABILITIES",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Squash all new and previous layers added as a part of this build, as per --squash",
                            "name": "SQUASH",
                            "type": "string"
                        },
                        {
                            "default": "overlay",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages",
                            "name": "SKIP_UNUSED_STAGES",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value labels that should be applied to the image",
                            "name": "LABELS",
                            "type": "array"
                        },
                        {
                            "default": [],
                            "description": "Additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Path to a file with additional key=value annotations that should be applied to the image",
                            "name": "ANNOTATIONS_FILE",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to enable privileged mode, should be used only with remote VMs",
                            "name": "PRIVILEGED_NESTED",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled",
                            "name": "SKIP_SBOM_GENERATION",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.",
                            "name": "SBOM_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection",
                            "name": "SBOM_SYFT_SELECT_CATALOGERS",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.",
                            "name": "SBOM_SOURCE_SCAN_ENABLED",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": [],
                            "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings",
                            "name": "ADDITIONAL_BASE_IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).",
                            "name": "WORKINGDIR_MOUNT",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if the image inherits the base image labels.",
                            "name": "INHERIT_BASE_IMAGE_LABELS",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.",
                            "name": "HTTP_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.",
                            "name": "NO_PROXY",
                            "type": "string"
                        },
                        {
                            "default": "caching-ca-bundle",
                            "description": "The name of the ConfigMap to read proxy CA bundle data from.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.",
                            "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.",
                            "name": "BUILD_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The image is built from this URL.",
                            "name": "SOURCE_URL",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Determines if SBOM will be contextualized.",
                            "name": "CONTEXTUALIZE_SBOM",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.",
                            "name": "OMIT_HISTORY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.",
                            "name": "SOURCE_DATE_EPOCH",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.",
                            "name": "REWRITE_TIMESTAMP",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.",
                            "name": "SKIP_INJECTIONS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {
                            "limits": {
                                "memory": "4Gi"
                            },
                            "requests": {
                                "cpu": "1",
                                "memory": "4Gi"
                            }
                        },
                        "env": [
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "overlay"
                            },
                            {
                                "name": "HERMETIC",
                                "value": "false"
                            },
                            {
                                "name": "SOURCE_CODE_DIR",
                                "value": "source"
                            },
                            {
                                "name": "CONTEXT",
                                "value": "python-component"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "IMAGE_EXPIRES_AFTER"
                            },
                            {
                                "name": "YUM_REPOS_D_SRC",
                                "value": "repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_FETCHED",
                                "value": "fetched.repos.d"
                            },
                            {
                                "name": "YUM_REPOS_D_TARGET",
                                "value": "/etc/yum.repos.d"
                            },
                            {
                                "name": "TARGET_STAGE"
                            },
                            {
                                "name": "ENTITLEMENT_SECRET",
                                "value": "etc-pki-entitlement"
                            },
                            {
                                "name": "ACTIVATION_KEY",
                                "value": "activation-key"
                            },
                            {
                                "name": "ADDITIONAL_SECRET",
                                "value": "does-not-exist"
                            },
                            {
                                "name": "BUILD_ARGS_FILE"
                            },
                            {
                                "name": "ADD_CAPABILITIES"
                            },
                            {
                                "name": "SQUASH",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_UNUSED_STAGES",
                                "value": "true"
                            },
                            {
                                "name": "PRIVILEGED_NESTED",
                                "value": "false"
                            },
                            {
                                "name": "SKIP_SBOM_GENERATION",
                                "value": "false"
                            },
                            {
                                "name": "SBOM_TYPE",
                                "value": "spdx"
                            },
                            {
                                "name": "SBOM_SYFT_SELECT_CATALOGERS"
                            },
                            {
                                "name": "SBOM_SOURCE_SCAN_ENABLED",
                                "value": "true"
                            },
                            {
                                "name": "ANNOTATIONS_FILE"
                            },
                            {
                                "name": "WORKINGDIR_MOUNT"
                            },
                            {
                                "name": "INHERIT_BASE_IMAGE_LABELS",
                                "value": "true"
                            },
                            {
                                "name": "BUILD_TIMESTAMP"
                            },
                            {
                                "name": "CONTEXTUALIZE_SBOM",
                                "value": "true"
                            },
                            {
                                "name": "SBOM_SKIP_VALIDATION",
                                "value": "true"
                            },
                            {
                                "name": "SKIP_INJECTIONS",
                                "value": "false"
                            }
                        ],
                        "imagePullPolicy": "IfNotPresent",
                        "volumeMounts": [
                            {
                                "mountPath": "/shared",
                                "name": "shared"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--build-args",
                                "--env",
                                "--labels",
                                "--annotations"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                },
                                "requests": {
                                    "cpu": "4600m",
                                    "memory": "8Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "COMMIT_SHA",
                                    "value": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "SOURCE_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "DOCKERFILE",
                                    "value": "docker/Dockerfile"
                                },
                                {
                                    "name": "BUILDAH_HTTP_PROXY"
                                },
                                {
                                    "name": "BUILDAH_NO_PROXY"
                                },
                                {
                                    "name": "ICM_KEEP_COMPAT_LOCATION",
                                    "value": "true"
                                },
                                {
                                    "name": "BUILDAH_OMIT_HISTORY",
                                    "value": "false"
                                },
                                {
                                    "name": "BUILDAH_SOURCE_DATE_EPOCH"
                                },
                                {
                                    "name": "BUILDAH_REWRITE_TIMESTAMP",
                                    "value": "false"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n  if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n    echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n    export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n    if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n      echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n      export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n    fi\n  fi\n}\n\nfunction unset_proxy {\n  echo \"[$(date --utc -Ins)] Unsetting proxy\"\n  unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n  echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n  CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n  \"$source_dir_path\" | \"$source_dir_path/\"*)\n    # path is valid, do nothing\n    ;;\n  *)\n    echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n    echo \"Source path: $source_dir_path\" \u003e\u00262\n    echo \"Resolved path: $context_dir_path\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n  echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n  cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n  update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n  dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n  # Instrumented builds (SAST) use this custom dockerfile step as their base\n  dockerfile_path=\"$DOCKERFILE\"\nelse\n  echo \"Cannot find Dockerfile $DOCKERFILE\"\n  exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n  icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e /etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n  echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n  while IFS= read -r line || [[ -n \"$line\" ]]; do\n    # Skip empty lines and comments\n    if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n      ANNOTATIONS+=(\"--annotation\" \"$line\")\n    fi\n  done \u003c \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n    case $1 in\n        --build-args)\n            shift\n            # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n            # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do build_args+=(\"$1\"); shift; done\n            ;;\n        --env)\n            shift\n            # Collect env entries of the form KEY=value\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do env_vars+=(\"$1\"); shift; done\n            ;;\n        --labels)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do LABELS+=(\"--label\" \"$1\"); shift; done\n            ;;\n        --annotations)\n            shift\n            while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ANNOTATIONS+=(\"--annotation\" \"$1\"); shift; done\n            ;;\n        *)\n            echo \"unexpected argument: $1\" \u003e\u00262\n            exit 2\n            ;;\n    esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n  BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n  ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e /shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n    jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--pull=never\")\n  UNSHARE_ARGS+=(\"--net\")\n  buildah_retries=3\n\n  set_proxy\n\n  for image in $BASE_IMAGES; do\n    if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"\n    then\n      echo \"Failed to pull base image ${image}\"\n      exit 1\n    fi\n  done\n\n  unset_proxy\n\n  echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n  BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n  BUILDAH_ARGS+=(\"--cap-add=all\")\n  BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n  BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ] ; then\n  BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n  BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n  if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n    BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n  fi\n  if [ -n \"$BUILD_TIMESTAMP\" ]; then\n    echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n    exit 1\n  fi\n  # but do set it so that we get all the labels/annotations associated with it\n  BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n  BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/workspace/source/cachi2/cachi2.env\" ]; then\n  # Identify the current arch to filter the prefetched content\n  PREFETCH_ARCH=\"$(uname -m)\"\n  echo \"$PREFETCH_ARCH\" \u003e /shared/prefetch-arch\n\n  echo \"Prefetched content will be made available\"\n\n  cp -r \"/workspace/source/cachi2\" /tmp/\n  chmod -R go+rwX /tmp/cachi2\n\n  # In case RPMs were prefetched and this is a multi-arch build,\n  # clean up the packages that do not match the architecture being built\n  RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n  if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n    echo \"Removing prefetched RPMs from non-matching architectures\"\n    PREFETCH_ARCH=\"$(uname -m)\"\n    for path in \"$RPM_PREFETCH_DIR\"/*; do\n      if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n        echo \"Removing: $path\"\n        rm -rf \"$path\"\n      else\n        echo \"Keeping: $path\"\n      fi\n    done\n  fi\n\n  VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n  # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n  # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n  sed -E -i \\\n      -e 'H;1h;$!d;x' \\\n      -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n    @igM' \\\n      \"$dockerfile_copy\"\n\n  prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n  if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n    echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n    mkdir -p \"$YUM_REPOS_D_FETCHED\"\n    if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n      cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n    fi\n  fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n  mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n  cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n  chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n  mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n  VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n  \"--label\" \"architecture=$(uname -m)\"\n  \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n  DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n  ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n  BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n  BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n  FINAL_BASE_IMAGE=$(\n    # Get the base image of the final stage\n    # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n    # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n    # Run the find_root_stage() function on the final stage\n    # If the final stage is scratch or oci-archive, return empty\n    jq -r '.Stages as $all_stages |\n      def find_root_stage($stage):\n        if $stage.From.Stage then\n          find_root_stage($all_stages[$stage.From.Stage.Index])\n        else\n          $stage\n        end;\n\n        find_root_stage(.Stages[-1]) |\n        if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n          empty\n        else\n          .BaseName\n        end' /shared/parsed_dockerfile.json |\n      tr -d '\"' |\n      tr -d \"'\"\n  )\n  if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n    set_proxy\n    buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null` `\n    unset_proxy\n    buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n  fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n  if [[ \"$label\" != \"--label\" ]]; then\n    label_pairs+=(\"$label\")\n  fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n  label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n  [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n  | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n  echo \"\" \u003e\u003e\"$dockerfile_copy\"\n  # Always write labels.json to the new standard location\n  echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  # Conditionally write to the old location for backward compatibility\n  if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n    echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n  fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n  containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n  ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n  cp \"$containerignore\" \"$ignorefile_copy\"\n  {\n    echo \"\"\n    echo \"!/labels.json\"\n    echo \"!/content-sets.json\"\n  } \u003e\u003e \"$ignorefile_copy\"\n  BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n#    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n#    shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n  cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n  mkdir -p /shared/rhsm/etc/pki/entitlement\n  mkdir -p /shared/rhsm/etc/pki/consumer\n\n  VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key \\\n                  -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z \\\n                  -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n  echo \"Adding activation key to the build\"\n\n  if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n    # user is not running registration in the Containerfile: pre-register.\n    echo \"Pre-registering with subscription manager.\"\n    export RETRY_MAX_TRIES=6\n    if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"\n    then\n      echo \"Subscription-manager register failed\"\n      exit 1\n    fi\n    unset RETRY_MAX_TRIES\n    trap 'subscription-manager unregister || true' EXIT\n\n    # copy generated certificates to /shared volume\n    cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n    cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n    # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n    VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n  fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e /dev/null; then\n  cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n  VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n  echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n  if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n    echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n    echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n    exit 1\n  fi\n  # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n  # (we set the workdir using 'unshare -w')\n  context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n  VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n  # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n  # Instrumented builds (SAST) use this step as their base and add some other tools.\n  while read -r volume_mount; do\n    VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n  done \u003c\u003c\u003c \"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n  cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n  while read -r filename; do\n    echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n    BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n  done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n    buildah build\n    \"${VOLUME_MOUNTS[@]}\"\n    \"${BUILDAH_ARGS[@]}\"\n    \"${LABELS[@]}\"\n    \"${ANNOTATIONS[@]}\"\n    --tls-verify=\"$TLSVERIFY\" --no-cache\n    --ulimit nofile=4096:4096\n    --http-proxy=false\n    -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n  # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n  command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n  command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n  echo \"Making copy of sbom-prefetch.json\"\n  cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n  # Get the image pullspec and filter out a tag if it is not set\n  # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n  base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n  # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n  # if buildah did not use that particular image during build because it was skipped\n  if [ -n \"$base_image_digest\" ]; then\n    echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n  fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e /shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/entitlement",
                                    "name": "etc-pki-entitlement"
                                },
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/additional-secret",
                                    "name": "additional-secret"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/proxy-ca-bundle",
                                    "name": "proxy-ca-bundle",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "600m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/root"
                                },
                                {
                                    "name": "BUILDAH_FORMAT",
                                    "value": "docker"
                                },
                                {
                                    "name": "TASKRUN_NAME",
                                    "value": "python-component-6fif5m-on-push-kkzhz-build-container"
                                }
                            ],
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "push",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"\nthen\n  echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile \"/workspace/source/image-digest\" \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n  echo \"Failed to push sbom image to $IMAGE\"\n  exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c \"/workspace/source\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n  echo -n \"${IMAGE}@\"\n  cat \"/workspace/source/image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"\nthen\n  echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n  SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n  [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n  [rekorInternalUrl]=REKOR_URL\n  [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n  [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n  [rekorInternalUrl]=rekorExternalUrl\n  [fulcioInternalUrl]=fulcioExternalUrl\n  [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n  val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n  if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n    fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n    val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n    if [ -n \"${val}\" ]; then\n      echo \"Using fallback ${fallback_key} instead of ${key}\"\n    fi\n  fi\n  if [ -z \"${val}\" ]; then\n    missing=\"${missing:+${missing}, }${key}\"\n  else\n    declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n    configured=$((configured + 1))\n  fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n  echo \"Keyless signing is enabled\"\n\n  # Save signing config for upload-sbom step\n  for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n    envvar=\"${SIGNING_KEY_MAP[$key]}\"\n    printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n  done \u003e /shared/signing-config.env\n\n  echo \"Using Rekor URL: ${REKOR_URL}\"\n  echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n  echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n  mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e /tmp/auth/config.json\n  export DOCKER_CONFIG=/tmp/auth\n\n  echo \"[$(date --utc -Ins)] Sign image\"\n  echo \"Signing image ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign sign -y \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign image\" \u003e\u00262\n    exit 1\n  fi\nelif [ \"${configured}\" -eq 0 ]; then\n  echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n  echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n  exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                },
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1100m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "sbom-syft-generate",
                            "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\ncase $SBOM_TYPE in\n  cyclonedx)\n    syft_sbom_type=cyclonedx-json@1.5 ;;\n  spdx)\n    syft_sbom_type=spdx-json@2.3 ;;\n  *)\n    echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n    exit 1\n    ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n  oci-dir:\"${OCI_DIR}\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-image.json\"\n)\nsyft_source_args=(\n  dir:\"/workspace/source/$SOURCE_CODE_DIR/$CONTEXT\"\n  --output \"$syft_sbom_type=/workspace/source/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n  syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n  syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n  echo \"Running syft on the source code\"\n  syft \"${syft_source_args[@]}\"\nelse\n  echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/var/lib/containers",
                                    "name": "varlibcontainers"
                                },
                                {
                                    "mountPath": "/shared",
                                    "name": "shared"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/source/source"
                        },
                        {
                            "args": [
                                "--additional-base-images"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "prepare-sboms",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n  case $1 in\n    --additional-base-images)\n      shift\n      while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do ADDITIONAL_BASE_IMAGES+=(\"$1\"); shift; done\n      ;;\n    *)\n      echo \"unexpected argument: $1\" \u003e\u00262\n      exit 2\n      ;;\n  esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n  generate\n  --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-image\n  --from-syft \"/workspace/source/sbom-image.json\"\n  --image-pullspec \"$IMAGE_URL\"\n  --image-digest \"$IMAGE_DIGEST\"\n  --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n  --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/workspace/source/sbom-source.json\" ]; then\n  mobster_args+=(--from-syft \"/workspace/source/sbom-source.json\")\nfi\n\nif [ -f \"/workspace/source/sbom-prefetch.json\" ]; then\n  mobster_args+=(--from-hermeto \"/workspace/source/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n  mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n  mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n  mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n  mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "workingDir": "/workspace/source"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n  echo \"Skipping SBOM generation\"\n  exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n  # shellcheck source=/dev/null\n  source /shared/signing-config.env\n\n  echo \"Initializing TUF root from ${TUF_URL}\"\n  if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"\n  then\n    echo \"Failed to initialize TUF root\" \u003e\u00262\n    exit 1\n  fi\n\n  # env var consumed by cosign\n  SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n  export SIGSTORE_ID_TOKEN\n\n  IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n  ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n  if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n    # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n    # spdx export data as rawstring, we want structured json as cyclonedx\n    ATT_SBOM_TYPE=\"spdxjson\"\n  fi\n\n  echo \"[$(date --utc -Ins)] Sign SBOM\"\n  echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n  if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n    --rekor-url=\"${REKOR_URL}\" \\\n    --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n    --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n    \"${IMAGE_REF}\"\n  then\n    echo \"Failed to sign SBOM\" \u003e\u00262\n    exit 1\n  fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/var/run/sigstore/cosign",
                                    "name": "oidc-token",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/source"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "varlibcontainers"
                        },
                        {
                            "emptyDir": {},
                            "name": "shared"
                        },
                        {
                            "name": "etc-pki-entitlement",
                            "secret": {
                                "optional": true,
                                "secretName": "etc-pki-entitlement"
                            }
                        },
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "name": "additional-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "does-not-exist"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "caching-ca-bundle",
                                "optional": true
                            },
                            "name": "proxy-ca-bundle"
                        },
                        {
                            "name": "oidc-token",
                            "projected": {
                                "sources": [
                                    {
                                        "serviceAccountToken": {
                                            "audience": "sigstore",
                                            "expirationSeconds": 600,
                                            "path": "oidc-token"
                                        }
                                    }
                                ]
                            }
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code to build.",
                            "name": "source"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/9341dce0-945e-449d-a68f-eafff58e880c",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:57:50Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "build-image-index",
                    "tekton.dev/task": "build-image-index"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-build-image-index",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "30629",
                "uid": "9341dce0-945e-449d-a68f-eafff58e880c"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "COMMIT_SHA",
                        "value": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "IMAGE_EXPIRES_AFTER",
                        "value": ""
                    },
                    {
                        "name": "ALWAYS_BUILD_INDEX",
                        "value": "false"
                    },
                    {
                        "name": "IMAGES",
                        "value": [
                            "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                        ]
                    },
                    {
                        "name": "BUILDAH_FORMAT",
                        "value": "docker"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "build-image-index"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:03Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:03Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-build-image-index-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "c7b0f7e1f743040d99a3532abbdfddc9484f80fd559a75171c97499c3eb5d163"
                        },
                        "entryPoint": "build-image-index",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "type": "string",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "IMAGE_URL",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    }
                ],
                "startTime": "2026-07-02T11:57:50Z",
                "steps": [
                    {
                        "container": "step-build",
                        "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                        "name": "build",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://19cf6bbc159de0310842579eec11b1585dea65a2b53de9de408fd4f26341ec65",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:58Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:55Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-create-sbom",
                        "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                        "name": "create-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://0c5378b857a72f30ccfee67a9af09e761568c86ffb94ee43d397e53c3c86530b",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:57:59Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:59Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload-sbom",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                        "name": "upload-sbom",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9807e24b1ec122af4b5781507db028152d7caad88e150683a9f8f632724839cb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:02Z",
                            "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:57:59Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "This takes existing Image Manifests and combines them in an Image Index.",
                    "params": [
                        {
                            "description": "The target image and tag where the image will be pushed to.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)",
                            "name": "TLSVERIFY",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The commit the image is built from.",
                            "name": "COMMIT_SHA",
                            "type": "string"
                        },
                        {
                            "description": "List of Image Manifests to be referenced by the Image Index",
                            "name": "IMAGES",
                            "type": "array"
                        },
                        {
                            "default": "",
                            "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.",
                            "name": "IMAGE_EXPIRES_AFTER",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.",
                            "name": "ALWAYS_BUILD_INDEX",
                            "type": "string"
                        },
                        {
                            "default": "vfs",
                            "description": "Storage driver to configure for buildah",
                            "name": "STORAGE_DRIVER",
                            "type": "string"
                        },
                        {
                            "default": "oci",
                            "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.",
                            "name": "BUILDAH_FORMAT",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.",
                            "name": "SBOM_SKIP_VALIDATION",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest of the image just built",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "description": "Image repository and tag where the built image was pushed",
                            "name": "IMAGE_URL",
                            "type": "string"
                        },
                        {
                            "description": "List of all referenced image manifests",
                            "name": "IMAGES",
                            "type": "string"
                        },
                        {
                            "description": "Image reference of the built image containing both the repository and the digest",
                            "name": "IMAGE_REF",
                            "type": "string"
                        },
                        {
                            "description": "Reference of SBOM blob digest to enable digest-based verification from provenance",
                            "name": "SBOM_BLOB_URL",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "env": [
                            {
                                "name": "BUILDAH_FORMAT",
                                "value": "docker"
                            },
                            {
                                "name": "COMMIT_SHA",
                                "value": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                            },
                            {
                                "name": "IMAGE",
                                "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                            },
                            {
                                "name": "TLSVERIFY",
                                "value": "true"
                            },
                            {
                                "name": "ALWAYS_BUILD_INDEX",
                                "value": "false"
                            },
                            {
                                "name": "STORAGE_DRIVER",
                                "value": "vfs"
                            }
                        ],
                        "volumeMounts": [
                            {
                                "mountPath": "/index-build-data",
                                "name": "shared-dir"
                            },
                            {
                                "mountPath": "/mnt/trusted-ca",
                                "name": "trusted-ca",
                                "readOnly": true
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7@sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "250m",
                                    "memory": "4Gi"
                                }
                            },
                            "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709",
                            "name": "build",
                            "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n  echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n  exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n  TOADD=\"$i\"\n  TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n  TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n  if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n    #format is repository:tag@sha256:digest\n    #we need to remove the tag, and just reference the digest\n    #as tag + digest is not supported\n    TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n    TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n  fi\n  if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n    echo \"Skipping image index generation. Returning results for $TOADD.\"\n    echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n    echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n    echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n    exit 0\n  fi\n\n  echo \"Adding $TOADD\"\n  buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n  INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n  INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n  echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n  echo \"This will cause digest changes and break SBOM accessibility.\"\n  echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n  exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n  push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://$IMAGE\"\nthen\n    echo \"Failed to push image ${IMAGE} to registry\"\n    exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n  --format=\"$push_format\" \\\n  --retry \"$buildah_retries\" \\\n  --tls-verify=\"$TLSVERIFY\" \\\n  --digestfile image-digest \\\n  \"$IMAGE\" \\\n  \"docker://${IMAGE%:*}:python-component-6fif5m-on-push-kkzhz-build-image-index\"\nthen\n    echo \"Failed to push image ${IMAGE%:*}:python-component-6fif5m-on-push-kkzhz-build-image-index to registry\"\n    exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n  image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n  echo -n \"${IMAGE}@\"\n  cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094",
                            "name": "create-sbom",
                            "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n  echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n  exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n  echo \"Skipping SBOM validation\"\n  mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n  oci-index\n  --index-image-pullspec \"$IMAGE_URL\"\n  --index-image-digest \"$IMAGE_DIGEST\"\n  --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea",
                            "name": "upload-sbom",
                            "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n  echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n  exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n    echo \"Failed to push sbom to registry\"\n    exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n",
                            "securityContext": {
                                "runAsNonRoot": false,
                                "runAsUser": 0
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "shared-dir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/16932a70-b675-4efc-8fc8-16a40054a750",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "clair-scan",
                    "tekton.dev/task": "clair-scan"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-clair-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "33132",
                "uid": "16932a70-b675-4efc-8fc8-16a40054a750"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clair-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:34Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:34Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-clair-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609"
                        },
                        "entryPoint": "clair-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\", \"digests\": [\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\"]}}\n"
                    },
                    {
                        "name": "REPORTS",
                        "type": "string",
                        "value": "{\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\":\"sha256:80cdbbb5e7cc4c31018b037e33d104a0d218fe22516ab99150e0bf0cd836be4a\"}\n"
                    },
                    {
                        "name": "SCAN_OUTPUT",
                        "type": "string",
                        "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":331,\"medium\":873,\"low\":241,\"unknown\":2},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":489,\"low\":633,\"unknown\":0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:59:32+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:58:03Z",
                "steps": [
                    {
                        "container": "step-get-image-manifests",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "get-image-manifests",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://f4c52faea6a61db1a44ed16e052a3083153a6e32e5ea1e327c4dc040ea8666b6",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:22Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:16Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-get-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:e030a6094b6d88b430ed049a6a59808f4b795e9d8293d72a4bbab44da8cc429f",
                        "name": "get-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://3d2b061a21daeba186849ba817585b3b3d3392a7f0b8a3202d1e56031868e213",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:56Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-oci-attach-report",
                        "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                        "name": "oci-attach-report",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://c7d561e3d85885ebbf40215cba645937a63aae802dd2b6fc3647b0174b944ad7",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:00Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:57Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-conftest-vulnerabilities",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                        "name": "conftest-vulnerabilities",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://614b316e240cdd0616a2b821af60821fc3f4e91f9479a27793d18511a70dc6ef",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:32Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\\\", \\\"digests\\\": [\\\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\\\":\\\"sha256:80cdbbb5e7cc4c31018b037e33d104a0d218fe22516ab99150e0bf0cd836be4a\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":331,\\\"medium\\\":873,\\\"low\\\":241,\\\"unknown\\\":2},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":489,\\\"low\\\":633,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:59:32+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:01Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform built by.",
                            "name": "image-platform",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused, should be removed in next task version.",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-oci-attach-report",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Clair scan result.",
                            "name": "SCAN_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        },
                        {
                            "description": "Mapping of image digests to report digests",
                            "name": "REPORTS",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "get-image-manifests",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n  echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n    echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n  done\nelse\n  echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n  note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                },
                                "requests": {
                                    "cpu": "800m",
                                    "memory": "7Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                },
                                {
                                    "name": "IMAGE_PLATFORM"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clair-in-ci:v1",
                            "imagePullPolicy": "Always",
                            "name": "get-vulnerabilities",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n  { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee  \"clair-report-$2.json\"; } \u0026\u0026 \\\n  { retry clair-action convert  --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n  local arch=\"$1\"\n  local sha_file=\"image-manifest-$arch.sha\"\n\n  if [ -e \"$sha_file\" ]; then\n    local arch_sha\n    arch_sha=$(\u003c\"$sha_file\")\n    local digest=\"${imagewithouttag}@${arch_sha}\"\n\n    echo \"Running clair-action on $arch image manifest...\"\n    clair_report \"$digest\" \"$arch\" || true\n\n    digests_processed+=(\"\\\"$arch_sha\\\"\")\n   fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n  # Validate against supported arch list. If it's not a known arch, fallback to amd64\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n  for sha_file in image-manifest-*.sha; do\n    if [ -e \"$sha_file\" ]; then\n      arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n      run_clair_on_arch \"$arch\"\n    fi\n  done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_OCI_ATTACH_REPORT",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705",
                            "name": "oci-attach-report",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n  echo 'OCI attach report skipped by parameter.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n  echo 'No Clair reports generated. Skipping upload.'\n  echo '{}' \u003e reports.json\n  exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n  report_file=\"$1\"\n  arch=\"${report_file/*-}\"\n  echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n  digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n  image_ref=\"${repository}@${digest}\"\n  echo \"Attaching $f to ${image_ref}\"\n  if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n    \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n  then\n    echo \"Failed to attach ${f} to ${image_ref}\"\n    exit 1\n  fi\n  # shellcheck disable=SC2016\n  reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n",
                            "workingDir": "/tekton/home"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d",
                            "name": "conftest-vulnerabilities",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n  echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n  file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n  if [ ! -s \"$file\" ]; then\n    echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n  else\n    /usr/bin/conftest test --no-fail $file \\\n    --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n    --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n  fi\n\n  #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n  if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n    missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n  fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n  note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n  TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n  echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n  echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n  exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n    result=$(jq -rce \\\n        '{\n            vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            },\n            unpatched_vulnerabilities:{\n              critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n              unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n            }\n        }' \"$file\")\n\n    scan_result=$(jq -s -rce \\\n          '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n          .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n          .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n          .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n          .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n          .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n          .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n          .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n          .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n          .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n          .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            }
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/f294bda8-6438-46f5-8964-25777bb856c9",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "virus, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "clamav-scan",
                    "tekton.dev/task": "clamav-scan"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-clamav-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "33014",
                "uid": "f294bda8-6438-46f5-8964-25777bb856c9"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "clamav-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:35Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:35Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-clamav-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a"
                        },
                        "entryPoint": "clamav-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\", \"digests\": [\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\"]}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"timestamp\":\"1782993570\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n"
                    }
                ],
                "startTime": "2026-07-02T11:58:04Z",
                "steps": [
                    {
                        "container": "step-extract-and-scan-image",
                        "imageID": "quay.io/konflux-ci/clamav-db@sha256:51306b4d971e7c1fa2bd1a055b4727dcd33ca920b9899642aba57bf79237fa93",
                        "name": "extract-and-scan-image",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://985c16aebfb669c599c6cd84251ac5c020ee4d2971a2957a052e2c394a585297",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:31Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\\\", \\\"digests\\\": [\\\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993570\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://a4e3827ff0a9b0bab4f62590c0623a95d186d8549959ca183f8c685571bb3aa8",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:34Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\\\", \\\"digests\\\": [\\\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1782993570\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:30Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.",
                    "params": [
                        {
                            "description": "Image digest to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image arch.",
                            "name": "image-arch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "unused",
                            "name": "docker-auth",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "8",
                            "description": "Maximum number of threads clamd runs.",
                            "name": "clamd-max-threads",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.",
                            "name": "skip-upload",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                },
                                "requests": {
                                    "cpu": "7300m",
                                    "memory": "12Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/work"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                },
                                {
                                    "name": "IMAGE_ARCH"
                                },
                                {
                                    "name": "MAX_THREADS",
                                    "value": "8"
                                }
                            ],
                            "image": "quay.io/konflux-ci/clamav-db:latest",
                            "name": "extract-and-scan-image",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n    mkdir -p ~/.docker\n    echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n    echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n    exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n#   $1: destination - path to the content to scan\n#   $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n#   $3: digest - digest to add to digests_processed array\n#   $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n  local destination=\"$1\"\n  local suffix=\"$2\"\n  local digest=\"$3\"\n  local scan_message=\"${4:-Scanning content}\"\n\n  db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n  echo \"$scan_message. This operation may take a while.\"\n  clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n    | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n  echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n  digests_processed+=(\"\\\"$digest\\\"\")\n\n  if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n    # OPA/EC requires structured data input, add clamAV log into json\n    jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o json \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n    # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n    EC_EXPERIMENTAL=1 ec test \\\n      --namespace required_checks \\\n      --policy /project/clamav/virus-check.rego \\\n      -o appstudio \\\n      \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n    cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n  fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n  echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n  raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n\n  if [ -n \"$raw_manifest\" ]; then\n    media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n    artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n    config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n    # Determine if this is an OCI artifact (not a container image)\n    # OCI artifacts typically have:\n    # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n    # - An explicit artifactType field that is not a container image type\n    is_oci_artifact=false\n\n    # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n    if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n      is_oci_artifact=true\n    fi\n\n    # Check if artifactType is set and is not a container image type\n    if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n      is_oci_artifact=true\n    fi\n\n    if [ \"$is_oci_artifact\" = true ]; then\n      # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n      echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n      # This looks like a container image manifest, but get_image_manifests failed\n      echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n      ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n      echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n      exit 0\n    else\n      # Likely an OCI artifact with non-standard media type\n      echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n      if [ -s /work/logs/artifact-meta.json ]; then\n        tmp=$(mktemp)\n        if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n          mv \"$tmp\" /work/logs/artifact-meta.json || true\n        fi\n      fi\n      destination=\"content-oci\"\n      mkdir -p \"$destination\"\n\n      # Download OCI artifact using skopeo copy\n      echo \"Downloading OCI artifact using skopeo copy\"\n      if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n        echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n        note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n        ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n        echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n        exit 0\n      fi\n\n      # Scan and process OCI artifact\n      scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n      # Skip the container image processing path\n      image_manifests=\"\"\n    fi\n  else\n    echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n    note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 0\n  fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n  echo \"Detected container image. Processing image manifests.\"\n  if [ -s /work/logs/artifact-meta.json ]; then\n    tmp=$(mktemp)\n    if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n      mv \"$tmp\" /work/logs/artifact-meta.json || true\n    fi\n  fi\n  # Proceed only if a specific arch is provided.\n  # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n  if [ -n \"$IMAGE_ARCH\" ]; then\n    arch=\"${IMAGE_ARCH#*/}\"\n    if [ \"${arch}\" = \"x86_64\" ]; then\n      arch=\"amd64\"\n    fi\n\n    # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n    # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n    case \"$arch\" in\n      amd64|ppc64le|arm64|s390x)\n        ;;\n      *)\n        arch=\"amd64\"\n        ;;\n    esac\n\n    image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n  fi\n\n  while read -r arch arch_sha; do\n    destination=$(echo content-$arch)\n    mkdir -p \"$destination\"\n    arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n    echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n    retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n    if [ $? -ne 0 ]; then\n      echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n      exit 0\n    fi\n\n    # Scan and process container image for this architecture\n    scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n  done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n  reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n    {\n    \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n    \"namespace\" : $item.namespace,\n    \"successes\" : (.successes + $item.successes),\n    \"failures\" : (.failures + $item.failures),\n    \"warnings\" : (.warnings + $item.warnings),\n    \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n    \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n    })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n  digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n",
                            "securityContext": {
                                "capabilities": {
                                    "add": [
                                        "SETFCAP"
                                    ]
                                }
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SKIP_UPLOAD",
                                    "value": "false"
                                },
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n  echo \"Upload skipped by parameter.\"\n  exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n  MEDIA_TYPE=text/vnd.clamav\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n  MEDIA_TYPE=application/vnd.konflux.test_output+json\n  args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n  echo \"No files found. Skipping upload.\"\n  exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/work",
                                    "name": "work"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/work"
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "dbfolder"
                        },
                        {
                            "emptyDir": {},
                            "name": "work"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f4d305abd3",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/f0ec7e27-f4fe-4f3b-801f-20f03f5822ba",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/categories": "Git",
                    "tekton.dev/displayName": "git clone",
                    "tekton.dev/pipelines.minVersion": "0.21.0",
                    "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64",
                    "tekton.dev/tags": "git",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:54:11Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "clone-repository",
                    "tekton.dev/task": "git-clone"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-clone-repository",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "27758",
                "uid": "f0ec7e27-f4fe-4f3b-801f-20f03f5822ba"
            },
            "spec": {
                "params": [
                    {
                        "name": "url",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "revision",
                        "value": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "git-clone"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "output",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-123913ed6e"
                        }
                    },
                    {
                        "name": "basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-xuiugn"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:54:19Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:54:19Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-clone-repository-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "7db7ad9653dccc771407cb0294487cf4be9064fa782ffad7e983db1a8ba57e21"
                        },
                        "entryPoint": "git-clone",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone"
                    }
                },
                "results": [
                    {
                        "name": "CHAINS-GIT_COMMIT",
                        "type": "string",
                        "value": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "CHAINS-GIT_URL",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    },
                    {
                        "name": "commit",
                        "type": "string",
                        "value": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "commit-timestamp",
                        "type": "string",
                        "value": "1782993210"
                    },
                    {
                        "name": "short-commit",
                        "type": "string",
                        "value": "1246422"
                    },
                    {
                        "name": "url",
                        "type": "string",
                        "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                    }
                ],
                "startTime": "2026-07-02T11:54:12Z",
                "steps": [
                    {
                        "container": "step-clone",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "clone",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://07fb009732610d89196b2def23fe0d6334c54477bfaef157ef4e152a768e4941",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:54:18Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993210\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"1246422\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-symlink-check",
                        "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                        "name": "symlink-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://61ff4ce127ff8a620c57fca5a68e13640c688c20e6d4a3873c2f90997fc9b62c",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:54:18Z",
                            "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1},{\"key\":\"commit\",\"value\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1782993210\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"1246422\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/redhat-appstudio-qe/group-snapshot-multi-component\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:18Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.",
                    "params": [
                        {
                            "description": "Repository URL to clone from.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Revision to checkout. (branch, tag, sha, ref, etc...)",
                            "name": "revision",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Refspec to fetch before checking out revision.",
                            "name": "refspec",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Initialize and fetch git submodules.",
                            "name": "submodules",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n",
                            "name": "submodulePaths",
                            "type": "string"
                        },
                        {
                            "default": "1",
                            "description": "Perform a shallow clone, fetching only the most recent N commits.",
                            "name": "depth",
                            "type": "string"
                        },
                        {
                            "default": "7",
                            "description": "Length of short commit SHA",
                            "name": "shortCommitLength",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.",
                            "name": "sslVerify",
                            "type": "string"
                        },
                        {
                            "default": "source",
                            "description": "Subdirectory inside the `output` Workspace to clone the repo into.",
                            "name": "subdirectory",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Define the directory patterns to match or exclude when performing a sparse checkout.",
                            "name": "sparseCheckoutDirectories",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Clean out the contents of the destination directory if it already exists before cloning.",
                            "name": "deleteExisting",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTP proxy server for non-SSL requests.",
                            "name": "httpProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "HTTPS proxy server for SSL requests.",
                            "name": "httpsProxy",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Opt out of proxying HTTP/HTTPS requests.",
                            "name": "noProxy",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Log the commands that are executed during `git-clone`'s operation.",
                            "name": "verbose",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Deprecated. Has no effect. Will be removed in the future.",
                            "name": "gitInitImage",
                            "type": "string"
                        },
                        {
                            "default": "/tekton/home",
                            "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n",
                            "name": "userHome",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n",
                            "name": "enableSymlinkCheck",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Fetch all tags for the repo.",
                            "name": "fetchTags",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.",
                            "name": "mergeTargetBranch",
                            "type": "string"
                        },
                        {
                            "default": "main",
                            "description": "The target branch to merge into the revision (if mergeTargetBranch is true).",
                            "name": "targetBranch",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n",
                            "name": "mergeSourceRepoUrl",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n",
                            "name": "mergeSourceDepth",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "The precise commit SHA that was fetched by this Task.",
                            "name": "commit",
                            "type": "string"
                        },
                        {
                            "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters",
                            "name": "short-commit",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task.",
                            "name": "url",
                            "type": "string"
                        },
                        {
                            "description": "The commit timestamp of the checkout",
                            "name": "commit-timestamp",
                            "type": "string"
                        },
                        {
                            "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_URL",
                            "type": "string"
                        },
                        {
                            "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.",
                            "name": "CHAINS-GIT_COMMIT",
                            "type": "string"
                        },
                        {
                            "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).",
                            "name": "merged_sha",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_URL",
                                    "value": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component"
                                },
                                {
                                    "name": "PARAM_REVISION",
                                    "value": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "PARAM_REFSPEC"
                                },
                                {
                                    "name": "PARAM_SUBMODULES",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBMODULE_PATHS"
                                },
                                {
                                    "name": "PARAM_DEPTH",
                                    "value": "1"
                                },
                                {
                                    "name": "PARAM_SHORT_COMMIT_LENGTH",
                                    "value": "7"
                                },
                                {
                                    "name": "PARAM_SSL_VERIFY",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "PARAM_DELETE_EXISTING",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_HTTP_PROXY"
                                },
                                {
                                    "name": "PARAM_HTTPS_PROXY"
                                },
                                {
                                    "name": "PARAM_NO_PROXY"
                                },
                                {
                                    "name": "PARAM_VERBOSE",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES"
                                },
                                {
                                    "name": "PARAM_USER_HOME",
                                    "value": "/tekton/home"
                                },
                                {
                                    "name": "PARAM_FETCH_TAGS",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_GIT_INIT_IMAGE"
                                },
                                {
                                    "name": "PARAM_MERGE_TARGET_BRANCH",
                                    "value": "false"
                                },
                                {
                                    "name": "PARAM_TARGET_BRANCH",
                                    "value": "main"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_REPO_URL"
                                },
                                {
                                    "name": "PARAM_MERGE_SOURCE_DEPTH"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_BOUND",
                                    "value": "false"
                                },
                                {
                                    "name": "WORKSPACE_SSH_DIRECTORY_PATH"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND",
                                    "value": "true"
                                },
                                {
                                    "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH",
                                    "value": "/workspace/basic-auth"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "clone",
                            "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n  set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n  echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n    cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n  # Compatibility with kubernetes.io/basic-auth secrets\n  elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n    HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n    echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n    echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n  helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n  else\n    echo \"Unknown basic-auth workspace format\"\n    exit 1\n  fi\n  chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n  chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n  cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n  chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n  chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n  # Delete any existing contents of the repo directory if it exists.\n  #\n  # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n  # or the root of a mounted volume.\n  if [ -d \"${CHECKOUT_DIR}\" ] ; then\n    # Delete non-hidden files and directories\n    rm -rf \"${CHECKOUT_DIR:?}\"/*\n    # Delete files and directories starting with . but excluding ..\n    rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n    # Delete files and directories starting with .. plus any other character\n    rm -rf \"${CHECKOUT_DIR}\"/..?*\n  fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n  cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n  -url=\"${PARAM_URL}\" \\\n  -revision=\"${PARAM_REVISION}\" \\\n  -refspec=\"${PARAM_REFSPEC}\" \\\n  -path=\"${CHECKOUT_DIR}\" \\\n  -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n  -submodules=\"${PARAM_SUBMODULES}\" \\\n  -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n  -depth=\"${PARAM_DEPTH}\" \\\n  -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n  -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n  echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n  if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n    echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n  fi\n\n  # Determine if merging from a different repository or the same one\n  if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n    # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n    normalize_url() {\n      echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n    }\n\n    NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n    NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n    if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n      echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n      MERGE_REMOTE=\"origin\"\n    else\n      echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n      echo \"Adding remote 'merge-source'...\"\n      git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n      MERGE_REMOTE=\"merge-source\"\n    fi\n  else\n    echo \"Merging from the same repository (origin)\"\n    MERGE_REMOTE=\"origin\"\n  fi\n\n  echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n  if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n    retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  else\n    retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n  fi\n\n\n  echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n  git config --global user.email \"tekton-git-clone@tekton.dev\"\n  git config --global user.name \"Tekton Git Clone Task\"\n\nif ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n  echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n  echo \"--- Git Status ---\"\n  git status\n  echo \"------------------\"\n  exit 1\nfi\n\n# Check if there are changes staged for commit\nif git diff --staged --quiet; then\n  echo \"No diff was found, skipping merge...\" \u003e\u00262\nelse\n  echo \"Merge successful (no conflicts found), committing...\"\nif ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n  echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n  exit 1\nfi\n  MERGED_SHA=$(git rev-parse HEAD)\n  echo \"New HEAD after merge: ${MERGED_SHA}\"\n  echo \"${MERGED_SHA}\" \u003e \"/tekton/results/merged_sha\"\nfi\n\nelse\n  echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n  echo \"Fetching tags\"\n  retry git fetch --tags\nfi\n",
                            "securityContext": {
                                "runAsUser": 0
                            },
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_ENABLE_SYMLINK_CHECK",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_SUBDIRECTORY",
                                    "value": "source"
                                },
                                {
                                    "name": "WORKSPACE_OUTPUT_PATH",
                                    "value": "/workspace/output"
                                }
                            ],
                            "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434",
                            "name": "symlink-check",
                            "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n  FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n  while read -r symlink\n  do\n    target=$(readlink -m \"$symlink\")\n    if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n      echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n      FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n    fi\n  done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n  if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n    return 1\n  fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n  echo \"Running symlink check\"\n  check_symlinks\nfi\n"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "The git repo will be cloned onto the volume backing this Workspace.",
                            "name": "output"
                        },
                        {
                            "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n",
                            "name": "ssh-directory",
                            "optional": true
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n",
                            "name": "basic-auth",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/269224d8-8584-4f32-a3d9-8b56efa510a5",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:54:04Z",
                "finalizers": [
                    "results.tekton.dev/taskrun",
                    "chains.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "init",
                    "tekton.dev/task": "init"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-init",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "27606",
                "uid": "269224d8-8584-4f32-a3d9-8b56efa510a5"
            },
            "spec": {
                "params": [
                    {
                        "name": "enable-cache-proxy",
                        "value": "false"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "init"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:54:09Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:54:09Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-init-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19"
                        },
                        "entryPoint": "init",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-init"
                    }
                },
                "results": [
                    {
                        "name": "http-proxy",
                        "type": "string",
                        "value": ""
                    },
                    {
                        "name": "no-proxy",
                        "type": "string",
                        "value": ""
                    }
                ],
                "startTime": "2026-07-02T11:54:04Z",
                "steps": [
                    {
                        "container": "step-init",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                        "name": "init",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://ad43d4daf00bdaa4ef1be7d28f8a4a7dc6fa89e8979c49d843e359ba5f4f0ef5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:54:08Z",
                            "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:08Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.",
                    "params": [
                        {
                            "default": "false",
                            "description": "Enable cache proxy configuration",
                            "name": "enable-cache-proxy",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)",
                            "name": "http-proxy",
                            "type": "string"
                        },
                        {
                            "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)",
                            "name": "no-proxy",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "args": [
                                "--enable",
                                "false"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "config",
                                "cache-proxy"
                            ],
                            "computeResources": {
                                "limits": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                },
                                {
                                    "name": "DEFAULT_HTTP_PROXY",
                                    "value": "squid.caching.svc.cluster.local:3128"
                                },
                                {
                                    "name": "DEFAULT_NO_PROXY",
                                    "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai"
                                },
                                {
                                    "name": "HTTP_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/http-proxy"
                                },
                                {
                                    "name": "NO_PROXY_RESULTS_PATH",
                                    "value": "/tekton/results/no-proxy"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf",
                            "name": "init"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f4d305abd3",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/c455adc1-c879-44c4-bdaf-d8bb4967ae8d",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:54:22Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "prefetch-dependencies",
                    "tekton.dev/task": "prefetch-dependencies"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-prefetch-dependencies",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "27995",
                "uid": "c455adc1-c879-44c4-bdaf-d8bb4967ae8d"
            },
            "spec": {
                "params": [
                    {
                        "name": "input",
                        "value": ""
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "prefetch-dependencies"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.3@sha256:45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "source",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-123913ed6e"
                        }
                    },
                    {
                        "name": "git-basic-auth",
                        "secret": {
                            "secretName": "pac-gitauth-xuiugn"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:54:31Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:54:31Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-prefetch-dependencies-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "45d2d88ddcc02db4605a4059e034121163458a63b7bb4e179e4402c156f84487"
                        },
                        "entryPoint": "prefetch-dependencies",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies"
                    }
                },
                "startTime": "2026-07-02T11:54:22Z",
                "steps": [
                    {
                        "container": "step-prefetch-dependencies",
                        "imageID": "quay.io/konflux-ci/hermeto@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                        "name": "prefetch-dependencies",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://54bf9543359a0c0130bc143410183d5f5158b92d7b541909801679f7768af0f5",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:54:31Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:54:25Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Task that prefetches project dependencies for hermetic build.",
                    "params": [
                        {
                            "description": "Configures project packages that will have their dependencies prefetched.",
                            "name": "input",
                            "type": "string"
                        },
                        {
                            "default": "debug",
                            "description": "Set the logging level (debug, info, warn, error, fatal).",
                            "name": "log-level",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n",
                            "name": "config-file-content",
                            "type": "string"
                        },
                        {
                            "default": "spdx",
                            "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.",
                            "name": "sbom-type",
                            "type": "string"
                        },
                        {
                            "default": "strict",
                            "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).",
                            "name": "mode",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "activation-key",
                            "description": "Name of secret which contains subscription activation key",
                            "name": "ACTIVATION_KEY",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "3Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "debug"
                                },
                                {
                                    "name": "KBC_PD_INPUT"
                                },
                                {
                                    "name": "KBC_PD_SOURCE_DIR",
                                    "value": "/workspace/source/source"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR",
                                    "value": "/workspace/source/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_SBOM_FORMAT",
                                    "value": "spdx"
                                },
                                {
                                    "name": "KBC_PD_MODE",
                                    "value": "strict"
                                },
                                {
                                    "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT",
                                    "value": "/cachi2/output"
                                },
                                {
                                    "name": "KBC_PD_ENV_FILE",
                                    "value": "/workspace/source/cachi2/cachi2.env"
                                },
                                {
                                    "name": "KBC_PD_GIT_AUTH_DIRECTORY",
                                    "value": "/workspace/git-basic-auth"
                                },
                                {
                                    "name": "WORKSPACE_NETRC_PATH"
                                },
                                {
                                    "name": "CONFIG_FILE_CONTENT"
                                }
                            ],
                            "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26",
                            "name": "prefetch-dependencies",
                            "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n  export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n  cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n  export KBC_PD_RHSM_ORG=/activation-key/org\n  export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n  echo \"${CONFIG_FILE_CONTENT}\" \u003e /mnt/config/config.yaml\n  export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/activation-key",
                                    "name": "activation-key"
                                },
                                {
                                    "mountPath": "/mnt/config",
                                    "name": "config"
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "name": "activation-key",
                            "secret": {
                                "optional": true,
                                "secretName": "activation-key"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "config"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace with the source code, prefetch artifacts will be stored on the workspace as well",
                            "name": "source"
                        },
                        {
                            "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n",
                            "name": "git-basic-auth",
                            "optional": true
                        },
                        {
                            "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n",
                            "name": "netrc",
                            "optional": true
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f4d305abd3",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/2ad3cce6-58cc-436e-8bc1-dc44c9de8f9f",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "image-build, appstudio",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "build.appstudio.redhat.com/build_type": "docker",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "push-dockerfile",
                    "tekton.dev/task": "push-dockerfile"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-push-dockerfile",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "31391",
                "uid": "2ad3cce6-58cc-436e-8bc1-dc44c9de8f9f"
            },
            "spec": {
                "params": [
                    {
                        "name": "IMAGE",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "IMAGE_DIGEST",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "DOCKERFILE",
                        "value": "docker/Dockerfile"
                    },
                    {
                        "name": "CONTEXT",
                        "value": "python-component"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "push-dockerfile"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.3@sha256:64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-123913ed6e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-push-dockerfile-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "64210c6d94ab467e1f8e1666e037060bd73942d65f5044bb63804470667ab3a2"
                        },
                        "entryPoint": "push-dockerfile",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-push-dockerfile"
                    }
                },
                "results": [
                    {
                        "name": "IMAGE_REF",
                        "type": "string",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:9ffaee8ee02539f4320f4e15babd6c528b92caeaf2a27c313f31c5cedaac65ba"
                    }
                ],
                "startTime": "2026-07-02T11:58:07Z",
                "steps": [
                    {
                        "container": "step-push",
                        "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                        "name": "push",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://dfc8e058672eac2797b75c0f49082d606f7338d2906d73650f3d91708c0d72a0",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:18Z",
                            "message": "[{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m@sha256:9ffaee8ee02539f4320f4e15babd6c528b92caeaf2a27c313f31c5cedaac65ba\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:18Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Discover Dockerfile from source code and push it to registry as an OCI artifact.",
                    "params": [
                        {
                            "description": "The built binary image. The Dockerfile is pushed to the same image repository alongside.",
                            "name": "IMAGE",
                            "type": "string"
                        },
                        {
                            "description": "The built binary image digest, which is used to construct the tag of Dockerfile image.",
                            "name": "IMAGE_DIGEST",
                            "type": "string"
                        },
                        {
                            "default": "./Dockerfile",
                            "description": "Path to the Dockerfile.",
                            "name": "DOCKERFILE",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Path to the directory to use as context.",
                            "name": "CONTEXT",
                            "type": "string"
                        },
                        {
                            "default": ".dockerfile",
                            "description": "Suffix of the Dockerfile image tag.",
                            "name": "TAG_SUFFIX",
                            "type": "string"
                        },
                        {
                            "default": "application/vnd.konflux.dockerfile",
                            "description": "Artifact type of the Dockerfile image.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "CA_TRUST_CONFIG_MAP_NAME",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "CA_TRUST_CONFIG_MAP_KEY",
                            "type": "string"
                        },
                        {
                            "default": "info",
                            "description": "Log level to use in the task. See golang logrus docs for available levels.",
                            "name": "LOG_LEVEL",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Digest-pinned image reference to the Dockerfile image.",
                            "name": "IMAGE_REF",
                            "type": "string"
                        }
                    ],
                    "stepTemplate": {
                        "computeResources": {},
                        "volumeMounts": [
                            {
                                "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                "name": "trusted-ca",
                                "readOnly": true,
                                "subPath": "ca-bundle.crt"
                            }
                        ]
                    },
                    "steps": [
                        {
                            "args": [
                                "--source",
                                "source",
                                "--context",
                                "python-component",
                                "--containerfile",
                                "docker/Dockerfile",
                                "--image-url",
                                "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                                "--image-digest",
                                "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384",
                                "--artifact-type",
                                "application/vnd.konflux.dockerfile",
                                "--tag-suffix",
                                ".dockerfile",
                                "--result-path-image-ref",
                                "/tekton/results/IMAGE_REF",
                                "--alternative-filename",
                                "Dockerfile"
                            ],
                            "command": [
                                "konflux-build-cli",
                                "image",
                                "push-containerfile"
                            ],
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KBC_LOG_LEVEL",
                                    "value": "info"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b5d20c85efa96affda92b32ca50590aa72231b43484637b2547e2d4c8c808fa0",
                            "name": "push",
                            "workingDir": "/workspace/workspace"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "description": "Workspace containing the source code from where the Dockerfile is discovered.",
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/00708032-92bf-42d0-a2a1-5e16a7c0514b",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "rpms-signature-scan",
                    "tekton.dev/task": "rpms-signature-scan"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-rpms-signature-scan",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "32474",
                "uid": "00708032-92bf-42d0-a2a1-5e16a7c0514b"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    },
                    {
                        "name": "image-digest",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "rpms-signature-scan"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:13Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:13Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-rpms-signature-scan-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a"
                        },
                        "entryPoint": "rpms-signature-scan",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan"
                    }
                },
                "results": [
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\", \"digests\": [\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\"]}}\n"
                    },
                    {
                        "name": "RPMS_DATA",
                        "type": "string",
                        "value": "{\"keys\": {\"199e2f91fd431d51\": 467, \"unsigned\": 0}}\n"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:59:12+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:58:07Z",
                "steps": [
                    {
                        "container": "step-rpms-signature-scan",
                        "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                        "name": "rpms-signature-scan",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://9b861ad845fc71f5edf50d24478065028f6986a5ad577b629830e331b6ca2a9f",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:11Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-output-results",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                        "name": "output-results",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://622d26b9ffafd4264ed6df5223126e657e2b73696460f11211b26291b4ccbba3",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:13Z",
                            "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\\\", \\\"digests\\\": [\\\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 467, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:59:12+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:12Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans RPMs in an image and provide information about RPMs signatures.",
                    "params": [
                        {
                            "description": "Image URL",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Image digest to scan",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "/tmp",
                            "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n",
                            "name": "workdir",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        },
                        {
                            "description": "Information about signed and unsigned RPMs",
                            "name": "RPMS_DATA",
                            "type": "string"
                        },
                        {
                            "description": "Images processed in the task.",
                            "name": "IMAGES_PROCESSED",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "200m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                },
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215",
                            "name": "rpms-signature-scan",
                            "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n  --image-url \"${IMAGE_URL}\" \\\n  --image-digest \"${IMAGE_DIGEST}\" \\\n  --workdir \"${WORKDIR}\" \\\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                },
                                "requests": {
                                    "cpu": "50m",
                                    "memory": "32Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "WORKDIR",
                                    "value": "/tmp"
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce",
                            "name": "output-results",
                            "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n  note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n  note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/tmp",
                                    "name": "workdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "workdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f4d305abd3",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/3f877dc4-5bb9-4fef-9593-caf4aa864214",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "sast-shell-check",
                    "tekton.dev/task": "sast-shell-check"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-sast-shell-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "31278",
                "uid": "3f877dc4-5bb9-4fef-9593-caf4aa864214"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-shell-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-123913ed6e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:23Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:23Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-sast-shell-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "5ffec704e0946b247e0e2bf8a4547546a9e43ab661e5ab9ec29faae4751c6861"
                        },
                        "entryPoint": "sast-shell-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:58:19+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:58:06Z",
                "steps": [
                    {
                        "container": "step-sast-shell-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-shell-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://cedb26c8ddd780d1c696e78926cd98e60fb7c19bdb0e4b5d6ea1174a2afc8e88",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:19Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:58:19+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://06cc0381a698d56a783b7c6d7f2742a54038266194a24d3725df213756dff098",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:58:19+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:20Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.",
                    "params": [
                        {
                            "default": "",
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Image digest to report findings for.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Whether to include important findings only",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "cpu": "8",
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-shell-check",
                            "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/workspace/workspace/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    ALL_TARGETS+=(\"$resolved_path\")\n  else\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n    read -r quota period \u003c /sys/fs/cgroup/cpu.max\n    if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n        export SC_JOBS=$(((quota + period - 1) / period))\n        echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n    fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n    --mode=json\n    --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n    # predefined list of shellcheck important findings\n    CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n    CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n    CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n    CSGREP_OPTS+=(\n        --event=\"$CSGREP_EVENT_FILTER\"\n    )\nelse\n    CSGREP_OPTS+=(\n        --event=\"error|warning\"\n    )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e \"$OUTPUT_FILE\"; then\n    echo \"Error occurred while running 'run-shellcheck.sh'\"\n    note=\"Task sast-shell-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e \"${OUTPUT_FILE}.filtered\" 2\u003e \"${OUTPUT_FILE}.error\"\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n        mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003e shellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n    echo 'No image-url or image-digest param provided. Skipping upload.'\n    exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n        echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n        continue\n    fi\n\n    # Determine the media type based on the file extension\n    if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n        MEDIA_TYPE=\"application/json\"\n    else\n        MEDIA_TYPE=\"application/sarif+json\"\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n      exit 1\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-shell-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f4d305abd3",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/99b88b17-7921-4d89-b1c6-083663c6fb9e",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "sast-snyk-check",
                    "tekton.dev/task": "sast-snyk-check"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-sast-snyk-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "31805",
                "uid": "99b88b17-7921-4d89-b1c6-083663c6fb9e"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-snyk-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-123913ed6e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:20Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:20Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-sast-snyk-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "ecb0583a01bf8dfd86b58f7d929387b1050a3dbdbdc6a8be8cd40181041cc335"
                        },
                        "entryPoint": "sast-snyk-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-07-02T11:58:18+00:00\",\"note\":\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:58:04Z",
                "steps": [
                    {
                        "container": "step-sast-snyk-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-snyk-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://6a84580ef810e7b0955f1f527053b79d6a3a99c741f8e08d7bf06e3c5eca08e9",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:18Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T11:58:18+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:17Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://636a6201cdf8b81f2da607d8bd6d705fe15e78c0c6e81ef84aad19e79cbd8895",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:19Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-07-02T11:58:18+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:19Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.",
                    "params": [
                        {
                            "default": "snyk-secret",
                            "description": "Name of secret which contains Snyk token.",
                            "name": "SNYK_SECRET",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Append arguments.",
                            "name": "ARGS",
                            "type": "string"
                        },
                        {
                            "description": "Image URL.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "description": "Digest of the image to scan.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        },
                        {
                            "default": "true",
                            "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.",
                            "name": "IMP_FINDINGS_ONLY",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Write excluded records in file. Useful for auditing (defaults to false).",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.",
                            "name": "IGNORE_FILE_PATHS",
                            "type": "string"
                        },
                        {
                            "default": ".",
                            "description": "Target directories in component's source code. Multiple values should be separated with commas.",
                            "name": "TARGET_DIRS",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "6Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "6Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "SNYK_SECRET",
                                    "value": "snyk-secret"
                                },
                                {
                                    "name": "ARGS"
                                },
                                {
                                    "name": "IGNORE_FILE_PATHS"
                                },
                                {
                                    "name": "IMP_FINDINGS_ONLY",
                                    "value": "true"
                                },
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                },
                                {
                                    "name": "TARGET_DIRS",
                                    "value": "."
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-snyk-check",
                            "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n  # SNYK token is provided\n  SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n  export SNYK_TOKEN\nelse\n  # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n  # shellcheck disable=SC2034\n  to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n  note=\"Task sast-snyk-check skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n  TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n  echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n  exit 0\nfi\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/workspace/workspace\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n  snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c \"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n  potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n  resolved_path=$(realpath -m \"$potential_path\")\n\n  # Ensure resolved path is still within SOURCE_CODE_DIR\n  if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n    echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n    exit 1\n  fi\n\n  # Ensure directory exists\n  if [ ! -d \"$resolved_path\" ]; then\n    echo \"Warning: Directory $resolved_path does not exist, skipping\"\n    continue\n  fi\n\n  echo \"INFO: Scanning directory: $resolved_path\"\n  # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n  # shellcheck disable=SC2086\n  snyk code test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\" 1\u003e\u00262\u003e\u003e stdout.txt\n  cmd_exit_code=$?\n  # Track the exit code: if any snyk command fails, preserve the failure\n  # Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n  # Error codes (2+) always override, warning codes (1,3) only if no previous error\n  if [[ \"$cmd_exit_code\" -ne 0 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 1 ]] \u0026\u0026 [[ \"$cmd_exit_code\" -ne 3 ]]; then\n    SNYK_EXIT_CODE=$cmd_exit_code\n  fi\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n  # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n  if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n    echo \"WARN: No JSON output files were generated by snyk scan\"\n    # Get snyk version for proper SARIF metadata\n    SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n    # Create a valid minimal SARIF structure using jq\n    # Note: coverage array is required even when empty because downstream jq commands expect it\n    jq -n --arg version \"$SNYK_VERSION\" '{\n      \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n      \"version\": \"2.1.0\",\n      \"runs\": [{\n        \"tool\": {\n          \"driver\": {\n            \"name\": \"snyk\",\n            \"version\": $version,\n            \"informationUri\": \"https://snyk.io\"\n          }\n        },\n        \"results\": [],\n        \"properties\": {\n          \"coverage\": []\n        }\n      }]\n    }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n  fi\n\n  # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n  (cd  \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) \\\n    | csgrep --mode=json --strip-path-prefix=\"source/\"  \\\n    \u003e sast_snyk_check_out_all_findings.json\n\n  echo \"INFO: Initial results:\"\n  csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n  if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n  fi\n  PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n  # create the KFP clone directory regardless\n  KFP_DIR=\"known-false-positives\"\n  KFP_CLONED=\"0\"\n  mkdir \"${KFP_DIR}\"\n\n  # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n  if [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n      echo \"INFO: Trying to clone known-false-positives..\"\n      git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\n  fi\n\n  if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n  else\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    CMD=(\n      csfilter-kfp\n      --verbose\n      --kfp-dir=\"${KFP_DIR}\"\n      --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n      CMD+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    set +e\n    \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003e filtered_sast_snyk_check_out.json\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n      echo \"WARN: failed to filter known false positives\" \u003e\u00262\n    else\n      echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\n    echo \"INFO: Results after filtering:\"\n    (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n  fi\n\n  # Generation of scan stats\n\n  total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n  supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n  # We make sure the values are 0 if no supported/total files are found\n  if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n    total_files=0\n  fi\n\n  if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n    supported_files=0\n  fi\n\n  coverage_ratio=0\n  if (( total_files \u003e 0 )); then\n      coverage_ratio=$((supported_files * 100 / total_files))\n  fi\n\n  # embed stats in results file and convert to SARIF\n  csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n                      --set-scan-prop snyk-scanned-files-success:\"${supported_files}\"  \\\n                      --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n                      filtered_sast_snyk_check_out.json  \u003e sast_snyk_check_out.sarif\n\n  # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n  if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n    # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n    # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n    # - \"error\" → importance level 1\n    # - \"warning\" (or missing level) → importance level 0\n    RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n    csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e \"$RESULT_SARIF\"\n  else\n    # Use all findings for Tekton task result\n    RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n  fi\n\n  TEST_OUTPUT=\n  parse_test_output \"sast-snyk-check\" sarif \"$RESULT_SARIF\"  || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n  note=\"Task sast-snyk-check success: Snyk code test found zero supported files.\"\n  ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n  echo \"sast-snyk-check test failed because of the following issues:\"\n  cat stdout.txt\n  note=\"Task sast-snyk-check failed: For details, check Tekton task log.\"\n  ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/secrets",
                                    "name": "snyk-secret",
                                    "readOnly": true
                                },
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url provided. Skipping upload.'\n  exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n    if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\n    then\n      echo \"Failed to attach to ${IMAGE_URL}\"\n    fi\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-snyk-check"
                        }
                    ],
                    "volumes": [
                        {
                            "name": "snyk-secret",
                            "secret": {
                                "optional": true,
                                "secretName": "snyk-secret"
                            }
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/affinity-assistant": "affinity-assistant-f4d305abd3",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/d4f9604c-60ca-4c9f-947b-b896fc7c9108",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "tekton.dev/pipelines.minVersion": "0.12.1",
                    "tekton.dev/tags": "konflux",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:04Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "sast-unicode-check",
                    "tekton.dev/task": "sast-unicode-check"
                },
                "name": "python-component-6fif5m-on-push-kkzhz-sast-unicode-check",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "31321",
                "uid": "d4f9604c-60ca-4c9f-947b-b896fc7c9108"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-digest",
                        "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                    },
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "sast-unicode-check"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.4@sha256:d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s",
                "workspaces": [
                    {
                        "name": "workspace",
                        "persistentVolumeClaim": {
                            "claimName": "pvc-123913ed6e"
                        }
                    }
                ]
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:58:22Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:58:22Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-push-kkzhz-sast-unicode-check-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "d65abc145444d056dfc373cd42843c3653e35435ef9d2f1e3d3fbabf0fbef477"
                        },
                        "entryPoint": "sast-unicode-check",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check"
                    }
                },
                "results": [
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-07-02T11:58:20+00:00\",\"note\":\"Task sast-unicode-check success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n"
                    }
                ],
                "startTime": "2026-07-02T11:58:06Z",
                "steps": [
                    {
                        "container": "step-sast-unicode-check",
                        "imageID": "quay.io/konflux-ci/konflux-test@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                        "name": "sast-unicode-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://b826ee6cf49f7394766a5a32cec620eca368318c1a3b1fa2ac5b20b918955cdb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:21Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:58:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:19Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-upload",
                        "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                        "name": "upload",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://e11e6b4ecaa121dfe13a05ffc5ff962877ae9706adfff2acec8f26a6c3945e97",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:22Z",
                            "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-07-02T11:58:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:21Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans source code for non-printable unicode characters in all text files.",
                    "params": [
                        {
                            "description": "Image digest used for ORAS upload.",
                            "name": "image-digest",
                            "type": "string"
                        },
                        {
                            "description": "Image URL used for ORAS upload.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "-p bidi -v -d -t",
                            "description": "arguments for find-unicode-control command.",
                            "name": "FIND_UNICODE_CONTROL_ARGS",
                            "type": "string"
                        },
                        {
                            "default": "SITE_DEFAULT",
                            "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.",
                            "name": "KFP_GIT_URL",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.",
                            "name": "PROJECT_NAME",
                            "type": "string"
                        },
                        {
                            "default": "false",
                            "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n",
                            "name": "RECORD_EXCLUDED",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "caTrustConfigMapName",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "caTrustConfigMapKey",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Tekton task test output.",
                            "name": "TEST_OUTPUT",
                            "type": "string"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "KFP_GIT_URL",
                                    "value": "SITE_DEFAULT"
                                },
                                {
                                    "name": "PROJECT_NAME"
                                },
                                {
                                    "name": "FIND_UNICODE_CONTROL_ARGS",
                                    "value": "-p bidi -v -d -t"
                                },
                                {
                                    "name": "RECORD_EXCLUDED",
                                    "value": "false"
                                },
                                {
                                    "name": "SOURCE_CODE_DIR",
                                    "value": "/workspace/workspace"
                                },
                                {
                                    "name": "COMPONENT_LABEL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.labels['appstudio.openshift.io/component']"
                                        }
                                    }
                                },
                                {
                                    "name": "BUILD_PLR_LOG_URL",
                                    "valueFrom": {
                                        "fieldRef": {
                                            "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']"
                                        }
                                    }
                                }
                            ],
                            "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9",
                            "name": "sast-unicode-check",
                            "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n    PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n  echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n  cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n  update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n    \u003eraw_sast_unicode_check_out.txt \\\n    2\u003eraw_sast_unicode_check_out.log \\\n    || FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n    echo \"Failed to run find-unicode-control command\" \u003e\u00262\n    cat raw_sast_unicode_check_out.log\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n    echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n    --mode=json\n    --remove-duplicates\n    --embed-context=3\n    --set-scan-prop=\"${SCAN_PROP}\"\n    --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003e processed_sast_unicode_check_out.json 2\u003e processed_sast_unicode_check_out.err; then\n    echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n    cat processed_sast_unicode_check_out.err\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n    echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n    exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n    KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n    # Default location only reachable from internal Konflux instances, check reachable first\n    echo -n \"INFO: Probing ${PROBE_URL}... \"\n    if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n        echo \"INFO: Trying to clone known-false-positives..\"\n        git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n    fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n    echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n    mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n    echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n    # Build initial csfilter-kfp command\n    csfilter_kfp_cmd=(\n        csfilter-kfp\n        --verbose\n        --kfp-dir=\"${KFP_DIR}\"\n        --project-nvr=\"${PROJECT_NAME}\"\n    )\n\n    # Append --record-excluded option if RECORD_EXCLUDED is true\n    if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n        csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n    fi\n\n    # Execute the command and capture any errors\n    set +e\n    \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003e sast_unicode_check_out.json 2\u003e sast_unicode_check_out.error\n    status=$?\n    set -e\n    if [ \"$status\" -ne 0 ]; then\n        echo \"WARN: failed to filter known false positives\" \u003e\u00262\n        mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n    else\n        echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n    fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003e sast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n    note=\"Task sast-unicode-check success: No finding was detected\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s  sast_unicode_check_out.sarif ]]; then\n    note=\"Task sast-unicode-check success: Some findings were detected, but filtered by known false positive\"\n    ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n    echo \"sast-unicode-check test failed because of the following issues:\"\n    cat sast_unicode_check_out.json\n    TEST_OUTPUT=\n    parse_test_output \"sast-unicode-check\" sarif sast_unicode_check_out.sarif  || true\n    note=\"Task sast-unicode-check failed: For details, check Tekton task log.\"\n    ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mnt/trusted-ca",
                                    "name": "trusted-ca",
                                    "readOnly": true
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "IMAGE_DIGEST",
                                    "value": "sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384"
                                }
                            ],
                            "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e",
                            "name": "upload",
                            "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n  echo 'No image-url param provided. Skipping upload.'\n  exit 0;\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n    if [ ! -f \"${UPLOAD_FILE}\" ]; then\n      echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n      continue\n    fi\n\n    if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n        MEDIA_TYPE=application/json\n    else\n        MEDIA_TYPE=application/sarif+json\n    fi\n\n    echo \"Selecting auth\"\n    select-oci-auth \"${IMAGE_URL}\" \u003e \"${HOME}/auth.json\"\n    echo \"Attaching to ${IMAGE_URL}\"\n    retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                }
                            ],
                            "workingDir": "/workspace/workspace/hacbs/sast-unicode-check"
                        }
                    ],
                    "volumes": [
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        }
                    ],
                    "workspaces": [
                        {
                            "name": "workspace"
                        }
                    ]
                }
            }
        },
        {
            "apiVersion": "tekton.dev/v1",
            "kind": "TaskRun",
            "metadata": {
                "annotations": {
                    "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component?rev=1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/commit_sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "build.appstudio.redhat.com/target_branch": "love-triangle-gc0rmg",
                    "chains.tekton.dev/signed": "true",
                    "pipeline.tekton.dev/release": "9db88e0",
                    "pipelinesascode.tekton.dev/branch": "love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-xuiugn",
                    "pipelinesascode.tekton.dev/git-provider": "github",
                    "pipelinesascode.tekton.dev/installation-id": "72200095",
                    "pipelinesascode.tekton.dev/log-url": "https://52.5.204.238:9443/ns/group-r73r/pipelinerun/python-component-6fif5m-on-push-kkzhz",
                    "pipelinesascode.tekton.dev/max-keep-runs": "3",
                    "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"love-triangle-gc0rmg\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-6fif5m-push.yaml\".pathChanged() )",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true",
                    "pipelinesascode.tekton.dev/sender": "rhtap-qe-bots-2",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/sha-title": "Merge pull request #22764 from redhat-appstudio-qe/konflux-python-component-6fif5m\n\nkonflux-ci e2e-tests update python-component-6fif5m",
                    "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component/commit/1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/source-branch": "refs/heads/love-triangle-gc0rmg",
                    "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/group-snapshot-multi-component",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "results.tekton.dev/childReadyForDeletion": "true",
                    "results.tekton.dev/record": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7/records/4a1e1b47-af63-437e-8d64-5e6cf16f04cf",
                    "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"group-snapshot-multi-component\",\"commit\":\"1246422a2ca6113a7d3b92314fd23d8563e3c1e7\",\"eventType\":\"push\",\"pull_request-id\":22764}",
                    "results.tekton.dev/result": "group-r73r/results/2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "results.tekton.dev/stored": "true",
                    "test.appstudio.openshift.io/pr-status": "merged"
                },
                "creationTimestamp": "2026-07-02T11:58:03Z",
                "finalizers": [
                    "chains.tekton.dev/taskrun",
                    "results.tekton.dev/taskrun"
                ],
                "generation": 1,
                "labels": {
                    "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev",
                    "app.kubernetes.io/version": "v0.42.0",
                    "appstudio.openshift.io/application": "integ-app-4rko",
                    "appstudio.openshift.io/component": "python-component-6fif5m",
                    "pipelines.appstudio.openshift.io/type": "build",
                    "pipelinesascode.tekton.dev/cancel-in-progress": "false",
                    "pipelinesascode.tekton.dev/check-run-id": "84764129558",
                    "pipelinesascode.tekton.dev/event-type": "push",
                    "pipelinesascode.tekton.dev/original-prname": "python-component-6fif5m-on-push",
                    "pipelinesascode.tekton.dev/pull-request": "22764",
                    "pipelinesascode.tekton.dev/repository": "go-component-pwrvk0",
                    "pipelinesascode.tekton.dev/sha": "1246422a2ca6113a7d3b92314fd23d8563e3c1e7",
                    "pipelinesascode.tekton.dev/state": "started",
                    "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe",
                    "pipelinesascode.tekton.dev/url-repository": "group-snapshot-multi-component",
                    "tekton.dev/memberOf": "tasks",
                    "tekton.dev/pipeline": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRun": "python-component-6fif5m-on-push-kkzhz",
                    "tekton.dev/pipelineRunUID": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7",
                    "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks",
                    "tekton.dev/task": "ecosystem-cert-preflight-checks"
                },
                "name": "python-component-6fif5m-on-push20dc40b5c265529282d0534f3152aa0a",
                "namespace": "group-r73r",
                "ownerReferences": [
                    {
                        "apiVersion": "tekton.dev/v1",
                        "blockOwnerDeletion": true,
                        "controller": true,
                        "kind": "PipelineRun",
                        "name": "python-component-6fif5m-on-push-kkzhz",
                        "uid": "2a99e068-ebf3-46a2-a90b-7c0a01b0e0b7"
                    }
                ],
                "resourceVersion": "32834",
                "uid": "4a1e1b47-af63-437e-8d64-5e6cf16f04cf"
            },
            "spec": {
                "params": [
                    {
                        "name": "image-url",
                        "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                    }
                ],
                "serviceAccountName": "build-pipeline-python-component-6fif5m",
                "taskRef": {
                    "params": [
                        {
                            "name": "name",
                            "value": "ecosystem-cert-preflight-checks"
                        },
                        {
                            "name": "bundle",
                            "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        {
                            "name": "kind",
                            "value": "task"
                        }
                    ],
                    "resolver": "bundles"
                },
                "timeout": "1h0m0s"
            },
            "status": {
                "artifacts": {},
                "completionTime": "2026-07-02T11:59:29Z",
                "conditions": [
                    {
                        "lastTransitionTime": "2026-07-02T11:59:29Z",
                        "message": "All Steps have completed executing",
                        "reason": "Succeeded",
                        "status": "True",
                        "type": "Succeeded"
                    }
                ],
                "podName": "python-component-6fif5m-on-a83a673f74cc59e0b74e7308636702fb-pod",
                "provenance": {
                    "featureFlags": {
                        "awaitSidecarReadiness": true,
                        "coschedule": "workspaces",
                        "enableAPIFields": "beta",
                        "enableProvenanceInStatus": true,
                        "enforceNonfalsifiability": "none",
                        "maxResultSize": 4096,
                        "resultExtractionMethod": "termination-message",
                        "runningInEnvWithInjectedSidecars": true,
                        "verificationNoMatchPolicy": "ignore"
                    },
                    "refSource": {
                        "digest": {
                            "sha256": "b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb"
                        },
                        "entryPoint": "ecosystem-cert-preflight-checks",
                        "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks"
                    }
                },
                "results": [
                    {
                        "name": "ARTIFACT_TYPE",
                        "type": "string",
                        "value": "application"
                    },
                    {
                        "name": "ARTIFACT_TYPE_SET_BY",
                        "type": "string",
                        "value": "introspection"
                    },
                    {
                        "name": "IMAGES_PROCESSED",
                        "type": "string",
                        "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\", \"digests\": [\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\"]}}"
                    },
                    {
                        "name": "TEST_OUTPUT",
                        "type": "string",
                        "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993567\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                    }
                ],
                "startTime": "2026-07-02T11:58:04Z",
                "steps": [
                    {
                        "container": "step-introspect",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "introspect",
                        "provenance": {},
                        "results": [
                            {
                                "name": "artifact-type",
                                "type": "string",
                                "value": "application"
                            },
                            {
                                "name": "artifact-type-set-by",
                                "type": "string",
                                "value": "introspection"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1d4dfe00439ad60fdff8e3f84dc5931135c32663525cfd1ad6e0be708be17fdb",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:19Z",
                            "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:18Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-generate-container-auth",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "generate-container-auth",
                        "provenance": {},
                        "results": [
                            {
                                "name": "auth-json-path",
                                "type": "string",
                                "value": "/auth/auth.json"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://1f3533d51c84226c0e03cfd993c4143ae3c80ae910658089a9f2475a04773857",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:20Z",
                            "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:20Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-set-skip-for-bundles",
                        "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                        "name": "set-skip-for-bundles",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://120ba0ad02fc5443312e9cef77447343c403aa5b36d869428ca3bf33a7b2a6ac",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:58:21Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:21Z"
                        },
                        "terminationReason": "Skipped"
                    },
                    {
                        "container": "step-app-check",
                        "imageID": "quay.io/opdev/preflight@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                        "name": "app-check",
                        "provenance": {},
                        "terminated": {
                            "containerID": "containerd://69bcd0fc3e72e9fdd95668dc0cd9b206de139f20e9d8bf5a533f77572bce5730",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:26Z",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:58:22Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-app-set-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "app-set-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "images-processed",
                                "type": "string",
                                "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\", \"digests\": [\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\"]}}"
                            },
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993567\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://d459f372eb6c4a3c2614a34f5accf1f8c88038b4c8e0df7901253c06a251c7ad",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:27Z",
                            "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7\\\", \\\"digests\\\": [\\\"sha256:a5070b87cdfb35e8d04980bd720d8cb6b9c567cf99d1db9c69318698fc6f7384\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993567\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:27Z"
                        },
                        "terminationReason": "Completed"
                    },
                    {
                        "container": "step-final-outcome",
                        "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                        "name": "final-outcome",
                        "provenance": {},
                        "results": [
                            {
                                "name": "test-output",
                                "type": "string",
                                "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1782993567\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}"
                            }
                        ],
                        "terminated": {
                            "containerID": "containerd://03a65b5dbab794b663bf0b7eadb747ab394416768d9117ecda45041a86b835da",
                            "exitCode": 0,
                            "finishedAt": "2026-07-02T11:59:28Z",
                            "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1782993567\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]",
                            "reason": "Completed",
                            "startedAt": "2026-07-02T11:59:28Z"
                        },
                        "terminationReason": "Completed"
                    }
                ],
                "taskSpec": {
                    "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.",
                    "params": [
                        {
                            "description": "Image url to scan.",
                            "name": "image-url",
                            "type": "string"
                        },
                        {
                            "default": "trusted-ca",
                            "description": "The name of the ConfigMap to read CA bundle data from.",
                            "name": "ca-trust-config-map-name",
                            "type": "string"
                        },
                        {
                            "default": "ca-bundle.crt",
                            "description": "The name of the key in the ConfigMap that contains the CA bundle data.",
                            "name": "ca-trust-config-map-key",
                            "type": "string"
                        },
                        {
                            "default": "introspect",
                            "description": "The type of artifact. Select from application, operatorbundle, or introspect.",
                            "name": "artifact-type",
                            "type": "string"
                        },
                        {
                            "default": "",
                            "description": "The platform the image is built on.",
                            "name": "platform",
                            "type": "string"
                        }
                    ],
                    "results": [
                        {
                            "description": "Ecosystem checks pass or fail outcome.",
                            "name": "TEST_OUTPUT",
                            "type": "string",
                            "value": "$(steps.final-outcome.results.test-output)"
                        },
                        {
                            "description": "The artifact type, either introspected or set.",
                            "name": "ARTIFACT_TYPE",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type)"
                        },
                        {
                            "description": "How the artifact type was set.",
                            "name": "ARTIFACT_TYPE_SET_BY",
                            "type": "string",
                            "value": "$(steps.introspect.results.artifact-type-set-by)"
                        },
                        {
                            "description": "Collected image digests",
                            "name": "IMAGES_PROCESSED",
                            "type": "string",
                            "value": "$(steps.app-set-outcome.results.images-processed)"
                        }
                    ],
                    "steps": [
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "512Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "512Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_ARTIFACT_TYPE",
                                    "value": "introspect"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "introspect",
                            "results": [
                                {
                                    "description": "The type of artifact this task is considering.",
                                    "name": "artifact-type"
                                },
                                {
                                    "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n",
                                    "name": "artifact-type-set-by"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n  echo \"Artifact type will be determined by introspection.\"\n  _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n  # short circuit if the artifact type was set via parameter.\n  echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n  printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n  exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n  _CURRENT_ARCH=$(uname -m)\n  _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n  # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n  # to map them.\n  case ${_CURRENT_ARCH} in\n    \"aarch64\")\n      _CURRENT_ARCH=\"arm64\"\n      ;;\n    \"x86_64\")\n      _CURRENT_ARCH=\"amd64\"\n      ;;\n    *)\n      ;;\n  esac\n\n  # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n  _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n  if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n    echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n  else\n    # If there is no image for the current OS and architecture, just use the first one in the list.\n    _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n    _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n    _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n    _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n    echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n  fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n  | jq '.Labels | keys | .[]' -r \\\n  | { grep operators.operatorframework.io.bundle || true ;} \\\n  | tee /tmp/ecosystem-image-labels\nthen\n  echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n  exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n"
                        },
                        {
                            "computeResources": {},
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "generate-container-auth",
                            "results": [
                                {
                                    "description": "Path to auth.json",
                                    "name": "auth-json-path"
                                }
                            ],
                            "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/auth",
                                    "name": "auth"
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1",
                            "name": "set-skip-for-bundles",
                            "results": [
                                {
                                    "description": "A skipped tekton result for bundles.",
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/bundle",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "operatorbundle"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "4Gi"
                                },
                                "requests": {
                                    "cpu": "1",
                                    "memory": "4Gi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PFLT_DOCKERCONFIG",
                                    "value": "$(steps.generate-container-auth.results.auth-json-path)"
                                },
                                {
                                    "name": "PFLT_KONFLUX",
                                    "value": "true"
                                },
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                },
                                {
                                    "name": "PARAM_PLATFORM"
                                }
                            ],
                            "image": "quay.io/opdev/preflight:stable@sha256:0834c74012598ac7b0b0104deb947d449accd518db745047c98d1ddfcfd8ceaf",
                            "name": "app-check",
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n  # Extract part after slash if present\n  arch=\"${platform#*/}\"\n  if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n    arch=\"amd64\"\n  fi\n\n  # Validate against supported arch list. If it's not a known arch, return an error result\n  case \"$arch\" in\n    amd64|ppc64le|arm64|s390x)\n      ;;\n    *)\n      echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n      exit 0\n      ;;\n  esac\n\n  /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n  /usr/local/bin/preflight check container \"$image_url\"\nfi\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                },
                                {
                                    "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt",
                                    "name": "trusted-ca",
                                    "readOnly": true,
                                    "subPath": "ca-bundle.crt"
                                },
                                {
                                    "mountPath": "/auth",
                                    "name": "auth",
                                    "readOnly": true
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "env": [
                                {
                                    "name": "PARAM_IMAGE_URL",
                                    "value": "quay.io/redhat-appstudio-qe/group-r73r/python-component-6fif5m:1246422a2ca6113a7d3b92314fd23d8563e3c1e7"
                                }
                            ],
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "app-set-outcome",
                            "results": [
                                {
                                    "description": "The overall outcome of this task.",
                                    "name": "test-output"
                                },
                                {
                                    "description": "Processed image digests.",
                                    "name": "images-processed"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n    # Check if results directory exits\n    RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n    if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n        continue\n    fi\n    # Process results\n    if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n    PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n    PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{  result: $result,\n    timestamp: $date,\n    note: $note,\n    successes: $successes|tonumber,\n    failures: $failures|tonumber,\n    warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n  docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n  if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n    digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n  fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nimage_digest=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" | sha256sum | awk '{print \"sha256:\" $1}')\nif [[ -n \"$image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n  digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/artifacts",
                                    "name": "pfltoutputdir"
                                }
                            ],
                            "when": [
                                {
                                    "input": "$(steps.introspect.results.artifact-type)",
                                    "operator": "in",
                                    "values": [
                                        "application"
                                    ]
                                }
                            ]
                        },
                        {
                            "computeResources": {
                                "limits": {
                                    "memory": "256Mi"
                                },
                                "requests": {
                                    "cpu": "100m",
                                    "memory": "256Mi"
                                }
                            },
                            "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5",
                            "name": "final-outcome",
                            "results": [
                                {
                                    "name": "test-output"
                                }
                            ],
                            "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n  printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n  exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n",
                            "volumeMounts": [
                                {
                                    "mountPath": "/mount",
                                    "name": "pfltoutputdir"
                                }
                            ]
                        }
                    ],
                    "volumes": [
                        {
                            "emptyDir": {},
                            "name": "pfltoutputdir"
                        },
                        {
                            "configMap": {
                                "items": [
                                    {
                                        "key": "ca-bundle.crt",
                                        "path": "ca-bundle.crt"
                                    }
                                ],
                                "name": "trusted-ca",
                                "optional": true
                            },
                            "name": "trusted-ca"
                        },
                        {
                            "emptyDir": {},
                            "name": "auth"
                        }
                    ]
                }
            }
        }
    ],
    "kind": "List",
    "metadata": {
        "resourceVersion": ""
    }
}
