{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "operator-sdk/primary-resource": "happy-path-i7ta/snapshot-sample-uom5-d499148-hszv4", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/sha": "d49914874789147eb2de9bb6a12cd5d150bfff92", "pac.test.appstudio.openshift.io/url-repository": "https://github.com/redhat-appstudio-qe/dc-metro-map-release", "pipeline.tekton.dev/release": "9db88e0", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "happy-path-managed/results/ce66dade-fcc6-46b1-913d-89e229d6dac0/records/dbce658d-8248-4a05-9aa5-d7f5071aeab5", "results.tekton.dev/result": "happy-path-managed/results/ce66dade-fcc6-46b1-913d-89e229d6dac0", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-28T07:43:24Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-04-28T07:44:47Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "appstudio", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "snapshot-sample-uom5", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "snapshot-sample-uom5-d499148-hszv4", "release.appstudio.openshift.io/namespace": "happy-path-i7ta", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "e2e", "tekton.dev/pipelineRun": "managed-r4kgn", "tekton.dev/pipelineRunUID": "ce66dade-fcc6-46b1-913d-89e229d6dac0", "tekton.dev/pipelineTask": "collect-data", "tekton.dev/task": "collect-data" }, "name": "managed-r4kgn-collect-data", "namespace": "happy-path-managed", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-r4kgn", "uid": "ce66dade-fcc6-46b1-913d-89e229d6dac0" } ], "resourceVersion": "8174", "uid": "dbce658d-8248-4a05-9aa5-d7f5071aeab5" }, "spec": { "params": [ { "name": "release", "value": "happy-path-i7ta/snapshot-sample-uom5-d499148-hszv4" }, { "name": "releasePlan", "value": "happy-path-i7ta/source-releaseplan" }, { "name": "releasePlanAdmission", "value": "happy-path-managed/demo" }, { "name": "releaseServiceConfig", "value": "release-service/release-service-config" }, { "name": "snapshot", "value": "happy-path-i7ta/snapshot-sample-uom5" }, { "name": "subdirectory", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0" }, { "name": "ociStorage", "value": "quay.io/konflux-ci/release-service-trusted-artifacts" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog" }, { "name": "taskGitRevision", "value": "development" } ], "serviceAccountName": "release-service-account", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/collect-data/collect-data.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-28T07:43:57Z", "conditions": [ { "lastTransitionTime": "2026-04-28T07:43:57Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-r4kgn-collect-data-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "64f719dac16c7fa1dec0eeefa38f885ee3c1f7e1" }, "entryPoint": "tasks/managed/collect-data/collect-data.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog" } }, "results": [ { "name": "data", "type": "string", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0/data.json" }, { "name": "release", "type": "string", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0/release.json" }, { "name": "releasePipelineMetadata", "type": "string", "value": "{\"org\":\"konflux-ci\",\"repo\":\"release-service-catalog\",\"revision\":\"development\",\"pathinrepo\":\"pipelines/managed/e2e/e2e.yaml\",\"sha\":\"64f719dac16c7fa1dec0eeefa38f885ee3c1f7e1\"}\n" }, { "name": "releasePlan", "type": "string", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan.json" }, { "name": "releasePlanAdmission", "type": "string", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan_admission.json" }, { "name": "releaseServiceConfig", "type": "string", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0/release_service_config.json" }, { "name": "resultsDir", "type": "string", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0/results" }, { "name": "singleComponentMode", "type": "string", "value": "false" }, { "name": "snapshotBuildId", "type": "string", "value": "" }, { "name": "snapshotName", "type": "string", "value": "snapshot-sample-uom5" }, { "name": "snapshotNamespace", "type": "string", "value": "happy-path-i7ta" }, { "name": "snapshotSpec", "type": "string", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0/snapshot_spec.json" }, { "name": "subdirectory", "type": "string", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0" }, { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/konflux-ci/release-service-trusted-artifacts@sha256:c38e334e3f4e57538baf00f11a35c5088fc5d43a2ccf3234d95bbf64b893ea62" } ], "startTime": "2026-04-28T07:43:24Z", "steps": [ { "container": "step-collect-data", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-data", "provenance": {}, "terminated": { "containerID": "containerd://363a26e8ead0e7bd236e370b81c0857d5607cb8c27b4fd2196435c99ddff9726", "exitCode": 0, "finishedAt": "2026-04-28T07:43:54Z", "message": "[{\"key\":\"data\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/data.json\",\"type\":1},{\"key\":\"release\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release.json\",\"type\":1},{\"key\":\"releasePipelineMetadata\",\"value\":\"{\\\"org\\\":\\\"konflux-ci\\\",\\\"repo\\\":\\\"release-service-catalog\\\",\\\"revision\\\":\\\"development\\\",\\\"pathinrepo\\\":\\\"pipelines/managed/e2e/e2e.yaml\\\",\\\"sha\\\":\\\"64f719dac16c7fa1dec0eeefa38f885ee3c1f7e1\\\"}\\n\",\"type\":1},{\"key\":\"releasePlan\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan.json\",\"type\":1},{\"key\":\"releasePlanAdmission\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan_admission.json\",\"type\":1},{\"key\":\"releaseServiceConfig\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_service_config.json\",\"type\":1},{\"key\":\"resultsDir\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/results\",\"type\":1},{\"key\":\"singleComponentMode\",\"value\":\"false\",\"type\":1},{\"key\":\"snapshotBuildId\",\"value\":\"\",\"type\":1},{\"key\":\"snapshotName\",\"value\":\"snapshot-sample-uom5\",\"type\":1},{\"key\":\"snapshotNamespace\",\"value\":\"happy-path-i7ta\",\"type\":1},{\"key\":\"snapshotSpec\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/snapshot_spec.json\",\"type\":1},{\"key\":\"subdirectory\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:43:53Z" }, "terminationReason": "Completed" }, { "container": "step-check-data-key-sources", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "check-data-key-sources", "provenance": {}, "terminated": { "containerID": "containerd://79306056ba70105ee129057adcfe1c2d696c92df882ab5b1acdc69f9bce92a69", "exitCode": 0, "finishedAt": "2026-04-28T07:43:55Z", "message": "[{\"key\":\"data\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/data.json\",\"type\":1},{\"key\":\"release\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release.json\",\"type\":1},{\"key\":\"releasePipelineMetadata\",\"value\":\"{\\\"org\\\":\\\"konflux-ci\\\",\\\"repo\\\":\\\"release-service-catalog\\\",\\\"revision\\\":\\\"development\\\",\\\"pathinrepo\\\":\\\"pipelines/managed/e2e/e2e.yaml\\\",\\\"sha\\\":\\\"64f719dac16c7fa1dec0eeefa38f885ee3c1f7e1\\\"}\\n\",\"type\":1},{\"key\":\"releasePlan\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan.json\",\"type\":1},{\"key\":\"releasePlanAdmission\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan_admission.json\",\"type\":1},{\"key\":\"releaseServiceConfig\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_service_config.json\",\"type\":1},{\"key\":\"resultsDir\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/results\",\"type\":1},{\"key\":\"singleComponentMode\",\"value\":\"false\",\"type\":1},{\"key\":\"snapshotBuildId\",\"value\":\"\",\"type\":1},{\"key\":\"snapshotName\",\"value\":\"snapshot-sample-uom5\",\"type\":1},{\"key\":\"snapshotNamespace\",\"value\":\"happy-path-i7ta\",\"type\":1},{\"key\":\"snapshotSpec\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/snapshot_spec.json\",\"type\":1},{\"key\":\"subdirectory\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:43:55Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://5de9d6a9180da8118cb024244930fb7ed06f4ec10041c8f64a03a6f99aa7fca7", "exitCode": 0, "finishedAt": "2026-04-28T07:43:57Z", "message": "[{\"key\":\"data\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/data.json\",\"type\":1},{\"key\":\"release\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release.json\",\"type\":1},{\"key\":\"releasePipelineMetadata\",\"value\":\"{\\\"org\\\":\\\"konflux-ci\\\",\\\"repo\\\":\\\"release-service-catalog\\\",\\\"revision\\\":\\\"development\\\",\\\"pathinrepo\\\":\\\"pipelines/managed/e2e/e2e.yaml\\\",\\\"sha\\\":\\\"64f719dac16c7fa1dec0eeefa38f885ee3c1f7e1\\\"}\\n\",\"type\":1},{\"key\":\"releasePlan\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan.json\",\"type\":1},{\"key\":\"releasePlanAdmission\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan_admission.json\",\"type\":1},{\"key\":\"releaseServiceConfig\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_service_config.json\",\"type\":1},{\"key\":\"resultsDir\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/results\",\"type\":1},{\"key\":\"singleComponentMode\",\"value\":\"false\",\"type\":1},{\"key\":\"snapshotBuildId\",\"value\":\"\",\"type\":1},{\"key\":\"snapshotName\",\"value\":\"snapshot-sample-uom5\",\"type\":1},{\"key\":\"snapshotNamespace\",\"value\":\"happy-path-i7ta\",\"type\":1},{\"key\":\"snapshotSpec\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0/snapshot_spec.json\",\"type\":1},{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/konflux-ci/release-service-trusted-artifacts@sha256:c38e334e3f4e57538baf00f11a35c5088fc5d43a2ccf3234d95bbf64b893ea62\",\"type\":1},{\"key\":\"subdirectory\",\"value\":\"ce66dade-fcc6-46b1-913d-89e229d6dac0\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:43:55Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to collect the information added to the data field of the release resources.\n\nThe purpose of this task is to collect all the data and supply it to the other task in the pipeline by creating\na json file called `data.json` in the workspace.\n\nThis task also stores the passed resources as json files in a workspace.\n\nThe parameters to this task are lowercase instead of camelCase because they are passed from the operator, and the\noperator passes them as lowercase.\n\nA task result is returned for each resource with the relative path to the stored JSON for it in the workspace.\n\nFinally, the task checks that the keys from the correct resource (a key that should come from the\nReleasePlanAdmission should not be present in the Release data section).", "params": [ { "description": "The namespaced name of the Release", "name": "release", "type": "string" }, { "description": "The namespaced name of the ReleasePlan", "name": "releasePlan", "type": "string" }, { "description": "The namespaced name of the ReleasePlanAdmission", "name": "releasePlanAdmission", "type": "string" }, { "description": "The namespaced name of the ReleaseServiceConfig", "name": "releaseServiceConfig", "type": "string" }, { "description": "The namespaced name of the Snapshot", "name": "snapshot", "type": "string" }, { "default": "", "description": "Subdirectory inside the workspace to be used", "name": "subdirectory", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "The relative path in the workspace to the stored release json", "name": "release", "type": "string" }, { "description": "The relative path in the workspace to the stored releasePlan json", "name": "releasePlan", "type": "string" }, { "description": "The relative path in the workspace to the stored releasePlanAdmission json", "name": "releasePlanAdmission", "type": "string" }, { "description": "The relative path in the workspace to the stored releaseServiceConfig json", "name": "releaseServiceConfig", "type": "string" }, { "description": "The relative path in the workspace to the stored snapshotSpec json", "name": "snapshotSpec", "type": "string" }, { "description": "The relative path in the workspace to the stored data json", "name": "data", "type": "string" }, { "description": "The relative path in the workspace to the results directory", "name": "resultsDir", "type": "string" }, { "description": "single component mode", "name": "singleComponentMode", "type": "string" }, { "description": "name of Snapshot resource", "name": "snapshotName", "type": "string" }, { "description": "namespace where Snapshot is located", "name": "snapshotNamespace", "type": "string" }, { "description": "Build Id where Snapshot originated", "name": "snapshotBuildId", "type": "string" }, { "description": "json object containing git resolver metadata about the running release pipeline", "name": "releasePipelineMetadata", "type": "string" }, { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" }, { "description": "Subdirectory inside the workspace to be used", "name": "subdirectory", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "50m", "memory": "64Mi" } }, "env": [ { "name": "RELEASE", "value": "happy-path-i7ta/snapshot-sample-uom5-d499148-hszv4" }, { "name": "RELEASE_PLAN", "value": "happy-path-i7ta/source-releaseplan" }, { "name": "RELEASE_PLAN_ADMISSION", "value": "happy-path-managed/demo" }, { "name": "RELEASE_SERVICE_CONFIG", "value": "release-service/release-service-config" }, { "name": "SNAPSHOT", "value": "happy-path-i7ta/snapshot-sample-uom5" } ], "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-data", "script": "#!/usr/bin/env bash\nset -eo pipefail\n\nif [ -f \"/mnt/trusted-ca/ca-bundle.crt\" ]; then\n export SSL_CERT_FILE=\"/mnt/trusted-ca/ca-bundle.crt\"\nfi\n\nset -x\necho -n \"ce66dade-fcc6-46b1-913d-89e229d6dac0\" \u003e \"/tekton/results/subdirectory\"\n\nRESULTS_DIR_PATH=\"results\"\nif [ -n \"ce66dade-fcc6-46b1-913d-89e229d6dac0\" ]; then\n mkdir -p \"/var/workdir/release/ce66dade-fcc6-46b1-913d-89e229d6dac0\"\n RESULTS_DIR_PATH=\"ce66dade-fcc6-46b1-913d-89e229d6dac0/results\"\nfi\n\nmkdir -p \"/var/workdir/release/$RESULTS_DIR_PATH\"\necho -n \"$RESULTS_DIR_PATH\" \u003e \"/tekton/results/resultsDir\"\n\nRELEASE_PATH=\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release.json\"\necho -n \"$RELEASE_PATH\" \u003e \"/tekton/results/release\"\nget-resource \"release\" \"${RELEASE}\" | tee \"/var/workdir/release/$RELEASE_PATH\"\n\nRELEASEPLAN_PATH=\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan.json\"\necho -n \"$RELEASEPLAN_PATH\" \u003e \"/tekton/results/releasePlan\"\nget-resource \"releaseplan\" \"${RELEASE_PLAN}\" | tee \"/var/workdir/release/$RELEASEPLAN_PATH\"\n\nRELEASEPLANADMISSION_PATH=\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan_admission.json\"\necho -n \"$RELEASEPLANADMISSION_PATH\" \u003e \"/tekton/results/releasePlanAdmission\"\nget-resource \"releaseplanadmission\" \"${RELEASE_PLAN_ADMISSION}\" \\\n | tee \"/var/workdir/release/$RELEASEPLANADMISSION_PATH\"\n\nRELEASESERVICECONFIG_PATH=\"ce66dade-fcc6-46b1-913d-89e229d6dac0/release_service_config.json\"\necho -n \"$RELEASESERVICECONFIG_PATH\" \u003e \"/tekton/results/releaseServiceConfig\"\nget-resource \"releaseserviceconfig\" \"${RELEASE_SERVICE_CONFIG}\" \\\n | tee \"/var/workdir/release/$RELEASESERVICECONFIG_PATH\"\n\necho -e \"\\nFetching Snapshot Spec\"\nSNAPSHOTSPEC_PATH=\"ce66dade-fcc6-46b1-913d-89e229d6dac0/snapshot_spec.json\"\necho -n \"$SNAPSHOTSPEC_PATH\" \u003e \"/tekton/results/snapshotSpec\"\nget-resource \"snapshot\" \"${SNAPSHOT}\" \"{.spec}\" \\\n | jq '(if .componentGroup == null then .componentGroup = .application else . end) | del(.application)' \\\n | tee \"/var/workdir/release/$SNAPSHOTSPEC_PATH\"\nlabels=$(get-resource \"snapshot\" \"${SNAPSHOT}\" \"{.metadata.labels}\")\nBUILD_ID=$(jq -r '.\"appstudio.openshift.io/build-pipelinerun\" // \"\"' \u003c\u003c\u003c \"${labels}\")\necho -n \"${BUILD_ID}\" | tee \"/tekton/results/snapshotBuildId\"\n\necho -e \"\\nGenerating collectors data\"\ncollectors_status=$(get-resource \"release\" \"${RELEASE}\" \"{.status.collectors}\")\necho \"***collectors status\"\necho \"${collectors_status}\"\necho \"***\"\n\ncollectors_result=$(jq -c '\n def deepmerge(a; b):\n reduce b[] as $item (a;\n reduce ($item | keys_unsorted[]) as $key (.;\n $item[$key] as $val | ($val | type) as $type | .[$key] = if ($type == \"object\") then\n deepmerge({}; [if .[$key] == null then {} else .[$key] end, $val])\n elif ($type == \"array\") then\n (.[$key] + $val | unique)\n else\n $val\n end)\n );\n\n # Ensure we safely handle missing collectors\n (.? // {}) as $collectors |\n\n # Flatten and combine the managed and tenant sections\n [($collectors.managed? // {} | to_entries | map(.value)) +\n ($collectors.tenant? // {} | to_entries | map(.value))] |\n flatten |\n deepmerge({}; .)\n' \u003c\u003c\u003c \"${collectors_status}\")\necho \"***collectors\"\njq \u003c\u003c\u003c \"$collectors_result\"\necho \"***\"\n\necho -e \"\\nFetching merged data json\"\nrelease_result=$(get-resource \"release\" \"${RELEASE}\" \"{.spec.data}\")\n\nrelease_plan_result=$(get-resource \"releaseplan\" \"${RELEASE_PLAN}\" \"{.spec.data}\")\n\nrelease_plan_admission_result=$(get-resource \"releaseplanadmission\" \"${RELEASE_PLAN_ADMISSION}\" \\\n \"{.spec.data}\")\n\n# Merge collectors and Release keys. Release has higher priority\nmerged_output=$(merge-json \"$collectors_result\" \"$release_result\")\n\n# Merge now with ReleasePlan keys. ReleasePlan has higher priority\nmerged_output=$(merge-json \"$merged_output\" \"$release_plan_result\")\n\n# Finally merge with ReleasePlanAdmission keys. ReleasePlanAdmission has higher priority\nmerged_output=$(merge-json \"$merged_output\" \"$release_plan_admission_result\")\n\nDATA_PATH=\"ce66dade-fcc6-46b1-913d-89e229d6dac0/data.json\"\necho -n \"$DATA_PATH\" \u003e \"/tekton/results/data\"\necho \"$merged_output\" | tee \"/var/workdir/release/$DATA_PATH\"\n\n# get pipeline ref info\npipelineref=$(jq -c '.spec.pipeline.pipelineRef' \\\n \"/var/workdir/release/ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan_admission.json\")\nresolver=$(jq -r '.resolver // \"\"' \u003c\u003c\u003c \"${pipelineref}\")\nif [ \"${resolver}\" == \"git\" ] ; then\n url=$(jq -r '.params[] | select(.name==\"url\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n revision=$(jq -r '.params[] | select(.name==\"revision\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n pathinrepo=$(jq -r '.params[] | select(.name==\"pathInRepo\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n orgrepo=\"${url#*/*/*/}\"\n org=$(echo \"${orgrepo}\" | cut -f1 -d/)\n repo=$(echo \"${orgrepo}\" | cut -f2 -d/ | cut -d. -f1)\n\n sha=$(curl -s \"https://api.github.com/repos/${org}/${repo}/commits/${revision}\" | jq -r '.sha // \"\"')\n\nfi\n\norg=\"${org:-unknown}\"\nrepo=\"${repo:-unknown}\"\nrevision=\"${revision:-unknown}\"\npathinrepo=\"${pathinrepo:-unknown}\"\nsha=\"${sha:-unknown}\"\n\necho \"\"\necho \"Release Pipeline Ref Info:\"\necho \"--------------------------\"\n\njson=$(jq -n -c \\\n --arg org \"${org}\" \\\n --arg repo \"${repo}\" \\\n --arg revision \"${revision}\" \\\n --arg pathinrepo \"${pathinrepo}\" \\\n --arg sha \"${sha}\" \\\n '$ARGS.named')\n\necho \"${json}\" \u003e \"/tekton/results/releasePipelineMetadata\"\n# pretty print for log message\njq . \u003c\u003c\u003c \"$json\"\n\nSINGLE_COMPONENT_MODE=$(jq -r '.singleComponentMode // \"false\"' \"/var/workdir/release/$DATA_PATH\")\nSNAPSHOT_NAME=$(echo \"${SNAPSHOT}\" | cut -f2 -d/)\nSNAPSHOT_NAMESPACE=$(echo \"${SNAPSHOT}\" | cut -f1 -d/)\n\necho -n \"${SINGLE_COMPONENT_MODE}\" | tee \"/tekton/results/singleComponentMode\"\necho -n \"${SNAPSHOT_NAME}\" | tee \"/tekton/results/snapshotName\"\necho -n \"${SNAPSHOT_NAMESPACE}\" | tee \"/tekton/results/snapshotNamespace\"\n" }, { "computeResources": { "limits": { "memory": "32Mi" }, "requests": { "cpu": "10m", "memory": "32Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "check-data-key-sources", "script": "#!/usr/bin/env bash\nset -ex\n\nDISALLOWED_KEYS_JSON='{\n \"Release\": [\n \"releaseNotes.product_id\",\n \"releaseNotes.product_name\",\n \"releaseNotes.product_version\",\n \"releaseNotes.product_stream\",\n \"releaseNotes.cpe\",\n \"releaseNotes.allow_custom_live_id\"\n ],\n \"ReleasePlan\": [\n \"releaseNotes.product_id\",\n \"releaseNotes.product_name\",\n \"releaseNotes.product_version\",\n \"releaseNotes.product_stream\",\n \"releaseNotes.cpe\",\n \"releaseNotes.allow_custom_live_id\"\n ],\n \"ReleasePlanAdmission\": [\n ]\n}'\n\nRC=0\n\ncheck_source () { # Expected arguments are [CRD from DISALLOWED_KEYS_JSON, file]\n for KEY in $(jq -r \".$1[]\" \u003c\u003c\u003c \"$DISALLOWED_KEYS_JSON\") ; do\n if [[ $(jq \".spec.data.$KEY\" \"$2\") != \"null\" ]] ; then\n echo \"Found disallowed key: $KEY in resource $1\"\n RC=1\n fi\n done\n}\n\ncheck_source \"Release\" \"/var/workdir/release/ce66dade-fcc6-46b1-913d-89e229d6dac0/release.json\"\ncheck_source \"ReleasePlan\" \"/var/workdir/release/ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan.json\"\ncheck_source \"ReleasePlanAdmission\" \\\n \"/var/workdir/release/ce66dade-fcc6-46b1-913d-89e229d6dac0/release_plan_admission.json\"\n\nexit $RC\n" }, { "args": [ "create", "--store", "quay.io/konflux-ci/release-service-trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "operator-sdk/primary-resource": "happy-path-i7ta/snapshot-sample-uom5-d499148-hszv4", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/sha": "d49914874789147eb2de9bb6a12cd5d150bfff92", "pac.test.appstudio.openshift.io/url-repository": "https://github.com/redhat-appstudio-qe/dc-metro-map-release", "pipeline.tekton.dev/release": "9db88e0", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "happy-path-managed/results/ce66dade-fcc6-46b1-913d-89e229d6dac0/records/99212baf-0e85-4c65-b9d2-91881087ee73", "results.tekton.dev/result": "happy-path-managed/results/ce66dade-fcc6-46b1-913d-89e229d6dac0", "results.tekton.dev/stored": "true", "tekton.dev/displayName": "Verify Conforma in Konflux", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-28T07:43:57Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-04-28T07:44:47Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "appstudio", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "snapshot-sample-uom5", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "snapshot-sample-uom5-d499148-hszv4", "release.appstudio.openshift.io/namespace": "happy-path-i7ta", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "e2e", "tekton.dev/pipelineRun": "managed-r4kgn", "tekton.dev/pipelineRunUID": "ce66dade-fcc6-46b1-913d-89e229d6dac0", "tekton.dev/pipelineTask": "verify-conforma", "tekton.dev/task": "verify-conforma-konflux-ta" }, "name": "managed-r4kgn-verify-conforma", "namespace": "happy-path-managed", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-r4kgn", "uid": "ce66dade-fcc6-46b1-913d-89e229d6dac0" } ], "resourceVersion": "8176", "uid": "99212baf-0e85-4c65-b9d2-91881087ee73" }, "spec": { "params": [ { "name": "SNAPSHOT_FILENAME", "value": "ce66dade-fcc6-46b1-913d-89e229d6dac0/snapshot_spec.json" }, { "name": "SSL_CERT_DIR", "value": "/var/run/secrets/kubernetes.io/serviceaccount" }, { "name": "POLICY_CONFIGURATION", "value": "{\"description\":\"Red Hat's enterprise requirements\",\"sources\":[{\"name\":\"Default\",\"policy\":[\"oci::quay.io/conforma/release-policy:konflux@sha256:6eb386faaf76de0d7dbc9f9e770a7f5639ebcee88e4ed4f004f8053189b21eae\"],\"data\":[\"oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:7612aa06e24e5d8d304e97fd2bde931a6f052f0c1761b766cbcdb20f076c0502\",\"github.com/release-engineering/rhtap-ec-policy.git//data?ref=acaef210b5ddca7a87854b5141556c30efdc2afc\"],\"config\":{\"include\":[\"@slsa3\"]}}],\"configuration\":{\"exclude\":[\"step_image_registries\",\"tasks.required_tasks_found:prefetch-dependencies\"],\"collections\":[\"@slsa3\"]},\"publicKey\":\"k8s://happy-path-managed/cosign-public-key\"}" }, { "name": "STRICT", "value": "true" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "EXTRA_RULE_DATA", "value": "pipeline_intention=release" }, { "name": "SOURCE_DATA_ARTIFACT", "value": "oci:quay.io/konflux-ci/release-service-trusted-artifacts@sha256:c38e334e3f4e57538baf00f11a35c5088fc5d43a2ccf3234d95bbf64b893ea62" }, { "name": "TRUSTED_ARTIFACTS_DEBUG", "value": "" } ], "retries": 2, "serviceAccountName": "release-service-account", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/conforma/cli" }, { "name": "revision", "value": "671c67269434c73faa7e3a0800b2983cf48a6f1d" }, { "name": "pathInRepo", "value": "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml" } ], "resolver": "git" }, "timeout": "4h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-28T07:44:36Z", "conditions": [ { "lastTransitionTime": "2026-04-28T07:44:36Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-r4kgn-verify-conforma-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "671c67269434c73faa7e3a0800b2983cf48a6f1d" }, "entryPoint": "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml", "uri": "git+https://github.com/conforma/cli" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777362272\",\"namespace\":\"\",\"successes\":22,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\"}\n" }, { "name": "VSA_GENERATED", "type": "string", "value": "false" } ], "startTime": "2026-04-28T07:43:58Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/redhat-appstudio/build-trusted-artifacts@sha256:9b180776a41d9a22a1c51539f1647c60defbbd55b44bbebdd4130e33512d8b0d", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://9cb530fc8796204bcdc64c9a9dec7ecfe342e2b838d24777ceeabfa30e86174d", "exitCode": 0, "finishedAt": "2026-04-28T07:44:23Z", "reason": "Completed", "startedAt": "2026-04-28T07:44:22Z" }, "terminationReason": "Completed" }, { "container": "step-initialize-tuf", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "initialize-tuf", "provenance": {}, "terminated": { "containerID": "containerd://3f6346fc4204df6883c8a52a2ed7f82cb81b1fb3c135427485a3b1afb42ad5ff", "exitCode": 0, "finishedAt": "2026-04-28T07:44:23Z", "reason": "Completed", "startedAt": "2026-04-28T07:44:23Z" }, "terminationReason": "Completed" }, { "container": "step-reduce", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "reduce", "provenance": {}, "terminated": { "containerID": "containerd://96f48f49dca06d0094e7a464ded4f8f9652e1207b1979913dffb37e7484c6991", "exitCode": 0, "finishedAt": "2026-04-28T07:44:24Z", "reason": "Completed", "startedAt": "2026-04-28T07:44:24Z" }, "terminationReason": "Completed" }, { "container": "step-validate", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "validate", "provenance": {}, "terminated": { "containerID": "containerd://0a860285c8969d450715b7552554022415dfbefc35d6030bef5c09c56ee9bd9e", "exitCode": 0, "finishedAt": "2026-04-28T07:44:32Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777362272\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":22,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:44:24Z" }, "terminationReason": "Completed" }, { "container": "step-report-json", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "report-json", "provenance": {}, "terminated": { "containerID": "containerd://b8b2305cf69d9b6f38917de248a0cd8002bce099e4a33cfb6916ccec8d22122c", "exitCode": 0, "finishedAt": "2026-04-28T07:44:33Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777362272\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":22,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:44:33Z" }, "terminationReason": "Completed" }, { "container": "step-summary", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "summary", "provenance": {}, "terminated": { "containerID": "containerd://836e4a314366256162976de5ccd7daa6ff1ba8a4765ecc8353cfaf2655dca9ae", "exitCode": 0, "finishedAt": "2026-04-28T07:44:33Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777362272\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":22,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:44:33Z" }, "terminationReason": "Completed" }, { "container": "step-version", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "version", "provenance": {}, "terminated": { "containerID": "containerd://91902e6299573b5cedf4d9b6599ba68c22e4e4caecf78270077f8a51a5f3b183", "exitCode": 0, "finishedAt": "2026-04-28T07:44:33Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777362272\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":22,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:44:33Z" }, "terminationReason": "Completed" }, { "container": "step-show-config", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "show-config", "provenance": {}, "terminated": { "containerID": "containerd://e8ebdc86f8027363919262334f0de345513c28d318f10b9d31c9ca8569ded660", "exitCode": 0, "finishedAt": "2026-04-28T07:44:34Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777362272\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":22,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:44:34Z" }, "terminationReason": "Completed" }, { "container": "step-detailed-report", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "detailed-report", "provenance": {}, "terminated": { "containerID": "containerd://1d4649e5c948a00ad48c5c4032bb7d735045b46f200bc951f1cebde4c220a97f", "exitCode": 0, "finishedAt": "2026-04-28T07:44:34Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777362272\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":22,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:44:34Z" }, "terminationReason": "Completed" }, { "container": "step-assert", "imageID": "quay.io/conforma/cli@sha256:2f5bed7fd51f678ea960aaf5bed033412b7d207a83bb1b02b108be5ca71a058d", "name": "assert", "provenance": {}, "terminated": { "containerID": "containerd://67bb72d9adb372c080f94caf8747fb171fd55193454e3d836309b0591acfb5dd", "exitCode": 0, "finishedAt": "2026-04-28T07:44:35Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777362272\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":22,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-28T07:44:34Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://0de1fa8cbfabf0ff41d70fd0cc8020e1a0af27138ce084d306ecc0262ed3c3a4", "exitCode": 0, "finishedAt": "2026-04-28T07:44:35Z", "reason": "Completed", "startedAt": "2026-04-28T07:44:35Z" }, "terminationReason": "Skipped" } ], "taskSpec": { "description": "Verify the enterprise contract is met", "params": [ { "description": "The filename of the `Snapshot` that is located within the trusted artifact\n", "name": "SNAPSHOT_FILENAME", "type": "string" }, { "description": "Trusted Artifact to use to obtain the Snapshot to validate.\n", "name": "SOURCE_DATA_ARTIFACT", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "", "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.", "name": "PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Rekor host for transparency log lookups", "name": "REKOR_HOST", "type": "string" }, { "default": "", "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_IDENTITY", "type": "string" }, { "default": "", "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_OIDC_ISSUER", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.", "name": "CERTIFICATE_IDENTITY_REGEXP", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.", "name": "CERTIFICATE_OIDC_ISSUER_REGEXP", "type": "string" }, { "default": "false", "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.", "name": "IGNORE_REKOR", "type": "string" }, { "default": "", "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.", "name": "TUF_MIRROR", "type": "string" }, { "default": "", "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n", "name": "SSL_CERT_DIR", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIGMAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "true", "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.", "name": "INFO", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" }, { "default": "/tekton/home", "description": "Value for the HOME environment variable.", "name": "HOMEDIR", "type": "string" }, { "default": "now", "description": "Run policy checks with the provided time.", "name": "EFFECTIVE_TIME", "type": "string" }, { "default": "", "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"", "name": "EXTRA_RULE_DATA", "type": "string" }, { "default": "4", "description": "Number of parallel workers to use for policy evaluation.\n", "name": "WORKERS", "type": "string" }, { "default": "false", "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created", "name": "SINGLE_COMPONENT", "type": "string" }, { "default": "unknown", "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "type": "string" }, { "default": "", "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "ORAS_OPTIONS", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.", "name": "TRUSTED_ARTIFACTS_DEBUG", "type": "string" }, { "default": "/var/workdir/conforma", "description": "Directory to use to extract trusted artifact archive.", "name": "TRUSTED_ARTIFACTS_EXTRACT_DIR", "type": "string" }, { "default": "1s", "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")", "name": "RETRY_DURATION", "type": "string" }, { "default": "2.0", "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")", "name": "RETRY_FACTOR", "type": "string" }, { "default": "0.1", "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")", "name": "RETRY_JITTER", "type": "string" }, { "default": "3", "description": "Maximum number of retry attempts", "name": "RETRY_MAX_RETRY", "type": "string" }, { "default": "3s", "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")", "name": "RETRY_MAX_WAIT", "type": "string" }, { "default": "false", "description": "Enable VSA generation", "name": "ENABLE_VSA", "type": "string" }, { "default": "dsse", "description": "Attestation format: dsse (signed envelope) or predicate (raw JSON)", "name": "ATTESTATION_FORMAT", "type": "string" }, { "default": "", "description": "Signing key for format=dsse (k8s:// or file:// URL)", "name": "VSA_SIGNING_KEY", "type": "string" }, { "default": "local@/var/workdir/conforma/vsa", "description": "VSA upload destination", "name": "VSA_UPLOAD", "type": "string" }, { "default": "", "description": "OCI storage URL for trusted artifacts", "name": "ociStorage", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Whether VSAs were generated (true/false)", "name": "VSA_GENERATED", "type": "string" }, { "description": "Trusted Artifact URI containing VSA files", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" }, { "name": "HOME", "value": "/tekton/home" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/etc/ssl/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/konflux-ci/release-service-trusted-artifacts@sha256:c38e334e3f4e57538baf00f11a35c5088fc5d43a2ccf3234d95bbf64b893ea62=/var/workdir/conforma" ], "computeResources": {}, "image": "quay.io/redhat-appstudio/build-trusted-artifacts:e02102ede09aa07187cba066ad547a54724e5cf4", "name": "use-trusted-artifact" }, { "computeResources": {}, "env": [ { "name": "TUF_MIRROR" } ], "image": "quay.io/conforma/cli:latest", "name": "initialize-tuf", "script": "set -euo pipefail\n\nif [[ -z \"${TUF_MIRROR:-}\" ]]; then\n echo 'TUF_MIRROR parameter not provided. Skipping TUF root initialization.'\n exit\nfi\n\necho 'Initializing TUF root...'\nec sigstore initialize --mirror \"${TUF_MIRROR}\" --root \"${TUF_MIRROR}/root.json\"\necho 'Done!'" }, { "command": [ "reduce-snapshot.sh" ], "computeResources": {}, "env": [ { "name": "SNAPSHOT", "value": "/var/workdir/conforma/ce66dade-fcc6-46b1-913d-89e229d6dac0/snapshot_spec.json" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "CUSTOM_RESOURCE", "value": "unknown" }, { "name": "CUSTOM_RESOURCE_NAMESPACE" }, { "name": "SNAPSHOT_PATH", "value": "/tekton/home/snapshot.json" } ], "image": "quay.io/conforma/cli:latest", "name": "reduce", "onError": "continue" }, { "computeResources": { "limits": { "memory": "2Gi" }, "requests": { "cpu": "250m", "memory": "2Gi" } }, "env": [ { "name": "POLICY_CONFIGURATION", "value": "{\"description\":\"Red Hat's enterprise requirements\",\"sources\":[{\"name\":\"Default\",\"policy\":[\"oci::quay.io/conforma/release-policy:konflux@sha256:6eb386faaf76de0d7dbc9f9e770a7f5639ebcee88e4ed4f004f8053189b21eae\"],\"data\":[\"oci::quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles:latest@sha256:7612aa06e24e5d8d304e97fd2bde931a6f052f0c1761b766cbcdb20f076c0502\",\"github.com/release-engineering/rhtap-ec-policy.git//data?ref=acaef210b5ddca7a87854b5141556c30efdc2afc\"],\"config\":{\"include\":[\"@slsa3\"]}}],\"configuration\":{\"exclude\":[\"step_image_registries\",\"tasks.required_tasks_found:prefetch-dependencies\"],\"collections\":[\"@slsa3\"]},\"publicKey\":\"k8s://happy-path-managed/cosign-public-key\"}" }, { "name": "PUBLIC_KEY" }, { "name": "CERTIFICATE_IDENTITY" }, { "name": "CERTIFICATE_OIDC_ISSUER" }, { "name": "CERTIFICATE_IDENTITY_REGEXP" }, { "name": "CERTIFICATE_OIDC_ISSUER_REGEXP" }, { "name": "REKOR_HOST" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "WORKERS", "value": "4" }, { "name": "INFO", "value": "true" }, { "name": "EFFECTIVE_TIME", "value": "now" }, { "name": "EXTRA_RULE_DATA", "value": "pipeline_intention=release" }, { "name": "RETRY_MAX_WAIT", "value": "3s" }, { "name": "RETRY_MAX_RETRY", "value": "3" }, { "name": "RETRY_DURATION", "value": "1s" }, { "name": "RETRY_FACTOR", "value": "2.0" }, { "name": "RETRY_JITTER", "value": "0.1" }, { "name": "ENABLE_VSA", "value": "false" }, { "name": "ATTESTATION_FORMAT", "value": "dsse" }, { "name": "VSA_SIGNING_KEY" }, { "name": "VSA_UPLOAD", "value": "local@/var/workdir/conforma/vsa" }, { "name": "HOMEDIR", "value": "/tekton/home" }, { "name": "SSL_CERT_DIR", "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount" }, { "name": "EC_CACHE", "value": "false" } ], "image": "quay.io/conforma/cli:latest", "name": "validate", "onError": "continue", "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n validate\n image\n --images=\"${HOMEDIR}/snapshot.json\"\n --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n # If *any* of the above are non-empty assume the intention is to\n # try keyless verification\n\n if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n cmd_args+=(\n --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n )\n elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n )\n fi\n\n if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n )\n elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n )\n fi\n\n # Force --ignore-rekor to false since we need rekor\n cmd_args+=(\n --ignore-rekor=false\n )\nelse\n # Assume traditional signing secret verification\n cmd_args+=(\n --public-key=\"${PUBLIC_KEY}\"\n --ignore-rekor=\"${IGNORE_REKOR}\"\n )\nfi\n\ncmd_args+=(\n --rekor-url=\"${REKOR_HOST}\"\n --workers=\"${WORKERS}\"\n --info=\"${INFO}\"\n --timeout=0\n --strict=false\n --show-successes=true\n --effective-time=\"${EFFECTIVE_TIME}\"\n --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n --retry-duration=\"${RETRY_DURATION}\"\n --retry-factor=\"${RETRY_FACTOR}\"\n --retry-jitter=\"${RETRY_JITTER}\"\n --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n --output=\"json=${HOMEDIR}/report-json.json\"\n --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n# Add VSA arguments if enabled\nif [[ \"${ENABLE_VSA}\" == \"true\" ]]; then\n cmd_args+=(\n --vsa=\"true\"\n --attestation-format=\"${ATTESTATION_FORMAT}\"\n )\n\n\n if [[ \"${ATTESTATION_FORMAT}\" == \"dsse\" ]]; then\n if [[ -z \"${VSA_SIGNING_KEY}\" ]]; then\n echo \"ERROR: VSA_SIGNING_KEY required for format=dsse\" \u003e\u00262\n exit 1\n fi\n cmd_args+=(\n --vsa-signing-key=\"${VSA_SIGNING_KEY}\"\n --vsa-upload=\"${VSA_UPLOAD}\"\n )\n fi\n\n # ec requires --attestation-output-dir to be under /tmp or cwd.\n # Write there first, then copy to the workdir so\n # create-trusted-artifact includes them in the archive.\n VSA_TMP_DIR=\"/tmp/vsa-output\"\n mkdir -p \"$VSA_TMP_DIR\"\n cmd_args+=(\n --attestation-output-dir=\"$VSA_TMP_DIR\"\n )\n\n echo -n \"true\" \u003e /tekton/results/VSA_GENERATED\nelse\n echo -n \"false\" \u003e /tekton/results/VSA_GENERATED\nfi\n\n# Execute Conforma with constructed arguments\nec \"${cmd_args[@]}\"\n\n# Copy VSA output from /tmp to workdir for trusted artifact archival\nif [[ \"${ENABLE_VSA}\" == \"true\" ]]; then\n # Extract local path from VSA_UPLOAD for output directory\n # VSA_UPLOAD format is \"local@/path/to/dir\"\n # Fixme: Because of -o pipefail this will fail the whole task when the grep doesn't match\n VSA_LOCAL_PATH=$(echo \"${VSA_UPLOAD}\" | grep -oE '^local@[^ ]+' | sed 's/^local@//' | head -n1 || true)\n if [[ -n \"$VSA_LOCAL_PATH\" \u0026\u0026 -d \"/tmp/vsa-output\" ]]; then\n mkdir -p \"$VSA_LOCAL_PATH\"\n cp -r /tmp/vsa-output/* \"$VSA_LOCAL_PATH\"/ 2\u003e/dev/null || true\n # Include raw JSON report for downstream SLSA VSA generation\n cp \"${HOMEDIR}/report-json.json\" \"$VSA_LOCAL_PATH\"/ 2\u003e/dev/null || true\n fi\nfi\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'" ], "command": [ "sh", "-c" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "report-json", "onError": "continue" }, { "args": [ ".", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "summary", "onError": "continue" }, { "args": [ "version" ], "command": [ "ec" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "version" }, { "args": [ "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}", "/tekton/home/report-json.json" ], "command": [ "jq" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "show-config" }, { "args": [ "/tekton/home/text-report.txt" ], "command": [ "cat" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "detailed-report", "onError": "continue" }, { "args": [ "--argjson", "strict", "true", "-e", ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "assert" }, { "args": [ "create", "--store", "", "/tekton/results/sourceDataArtifact=/var/workdir/conforma" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "when": [ { "input": "false", "operator": "in", "values": [ "true" ] }, { "operator": "notin", "values": [ "", "empty" ] } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "operator-sdk/primary-resource": "tenant-dev-8nu4/snapshot-sample-q6v9-d499148-l6p8h", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/sha": "d49914874789147eb2de9bb6a12cd5d150bfff92", "pac.test.appstudio.openshift.io/url-repository": "https://github.com/redhat-appstudio-qe/dc-metro-map-release", "pipeline.tekton.dev/release": "9db88e0", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "tenant-dev-8nu4/results/450b6ffc-727e-48de-a74f-c2db7bb3c68d/records/0e65d429-0a30-46a3-92f5-8d6495ebec0f", "results.tekton.dev/result": "tenant-dev-8nu4/results/450b6ffc-727e-48de-a74f-c2db7bb3c68d", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "e2e" }, "creationTimestamp": "2026-04-28T07:43:01Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-04-28T07:43:25Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "appstudio", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "snapshot-sample-q6v9", "pipelines.appstudio.openshift.io/type": "tenant", "release.appstudio.openshift.io/name": "snapshot-sample-q6v9-d499148-l6p8h", "release.appstudio.openshift.io/namespace": "tenant-dev-8nu4", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "simple-pipeline", "tekton.dev/pipelineRun": "tenant-4pp5b", "tekton.dev/pipelineRunUID": "450b6ffc-727e-48de-a74f-c2db7bb3c68d", "tekton.dev/pipelineTask": "hello-world" }, "name": "tenant-4pp5b-hello-world", "namespace": "tenant-dev-8nu4", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tenant-4pp5b", "uid": "450b6ffc-727e-48de-a74f-c2db7bb3c68d" } ], "resourceVersion": "7124", "uid": "0e65d429-0a30-46a3-92f5-8d6495ebec0f" }, "spec": { "params": [ { "name": "MESSAGE", "value": "hello world" } ], "serviceAccountName": "tenant-service-account", "taskSpec": { "params": [ { "name": "MESSAGE", "type": "string" } ], "steps": [ { "computeResources": {}, "image": "registry.access.redhat.com/ubi9/ubi:9.4-1214", "name": "echo-message", "script": "#!/usr/bin/env sh\n\necho $(params.MESSAGE) \n" } ] }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-28T07:43:13Z", "conditions": [ { "lastTransitionTime": "2026-04-28T07:43:13Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tenant-4pp5b-hello-world-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "startTime": "2026-04-28T07:43:01Z", "steps": [ { "container": "step-echo-message", "imageID": "registry.access.redhat.com/ubi9/ubi@sha256:9460515b85f2a75278f2043438583c1c377c44bf100178bb653a6c8658304ac7", "name": "echo-message", "provenance": {}, "terminated": { "containerID": "containerd://403786655e1ea378e4ded02f15ccafd117aa750c4c512518bc3201524cf29e32", "exitCode": 0, "finishedAt": "2026-04-28T07:43:12Z", "reason": "Completed", "startedAt": "2026-04-28T07:43:12Z" }, "terminationReason": "Completed" } ], "taskSpec": { "params": [ { "name": "MESSAGE", "type": "string" } ], "steps": [ { "computeResources": {}, "image": "registry.access.redhat.com/ubi9/ubi:9.4-1214", "name": "echo-message", "script": "#!/usr/bin/env sh\n\necho hello world \n" } ] } } } ], "kind": "List", "metadata": { "resourceVersion": "" } }