{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083920-000-f531195-x7qn4", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-vbzktl", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998372575", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-wjhlte", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-vbzktl", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/record": "default-managed-tenant-c009b/results/f047ab00-5f5f-4427-9850-23932682dd3e/records/f047ab00-5f5f-4427-9850-23932682dd3e", "results.tekton.dev/result": "default-managed-tenant-c009b/results/f047ab00-5f5f-4427-9850-23932682dd3e", "results.tekton.dev/stored": "false", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:47:47Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083920-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083920-000-f531195-x7qn4", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-9z42m", "tekton.dev/pipelineRunUID": "f047ab00-5f5f-4427-9850-23932682dd3e", "tekton.dev/pipelineTask": "collect-data", "tekton.dev/task": "collect-data" }, "name": "managed-9z42m-collect-data", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-9z42m", "uid": "f047ab00-5f5f-4427-9850-23932682dd3e" } ], "resourceVersion": "48413", "uid": "4f04b5be-f47b-4229-abdf-5192a59055cc" }, "spec": { "params": [ { "name": "release", "value": "default-tenant/tsf-demo-app-20260425-083920-000-f531195-x7qn4" }, { "name": "releasePlan", "value": "default-tenant/tsf-release" }, { "name": "releasePlanAdmission", "value": "default-managed-tenant-c009b/tsf-release" }, { "name": "releaseServiceConfig", "value": "release-service/release-service-config" }, { "name": "snapshot", "value": "default-tenant/tsf-demo-app-20260425-083920-000" }, { "name": "subdirectory", "value": "f047ab00-5f5f-4427-9850-23932682dd3e" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/collect-data/collect-data.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T08:47:48Z", "message": "pod status \"PodReadyToStartContainers\":\"False\"; message: \"\"", "reason": "Pending", "status": "Unknown", "type": "Succeeded" } ], "podName": "managed-9z42m-collect-data-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/collect-data/collect-data.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "startTime": "2026-04-25T08:47:47Z", "steps": [ { "container": "step-create-trusted-artifact", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "waiting": { "reason": "PodInitializing" } }, { "container": "step-collect-data", "name": "collect-data", "waiting": { "reason": "PodInitializing" } }, { "container": "step-check-data-key-sources", "name": "check-data-key-sources", "waiting": { "reason": "PodInitializing" } } ], "taskSpec": { "description": "Tekton task to collect the information added to the data field of the release resources.\n\nThe purpose of this task is to collect all the data and supply it to the other task in the pipeline by creating\na json file called `data.json` in the workspace.\n\nThis task also stores the passed resources as json files in a workspace.\n\nThe parameters to this task are lowercase instead of camelCase because they are passed from the operator, and the\noperator passes them as lowercase.\n\nA task result is returned for each resource with the relative path to the stored JSON for it in the workspace.\n\nFinally, the task checks that the keys from the correct resource (a key that should come from the\nReleasePlanAdmission should not be present in the Release data section).", "params": [ { "description": "The namespaced name of the Release", "name": "release", "type": "string" }, { "description": "The namespaced name of the ReleasePlan", "name": "releasePlan", "type": "string" }, { "description": "The namespaced name of the ReleasePlanAdmission", "name": "releasePlanAdmission", "type": "string" }, { "description": "The namespaced name of the ReleaseServiceConfig", "name": "releaseServiceConfig", "type": "string" }, { "description": "The namespaced name of the Snapshot", "name": "snapshot", "type": "string" }, { "default": "", "description": "Subdirectory inside the workspace to be used", "name": "subdirectory", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "The relative path in the workspace to the stored release json", "name": "release", "type": "string" }, { "description": "The relative path in the workspace to the stored releasePlan json", "name": "releasePlan", "type": "string" }, { "description": "The relative path in the workspace to the stored releasePlanAdmission json", "name": "releasePlanAdmission", "type": "string" }, { "description": "The relative path in the workspace to the stored releaseServiceConfig json", "name": "releaseServiceConfig", "type": "string" }, { "description": "The relative path in the workspace to the stored snapshotSpec json", "name": "snapshotSpec", "type": "string" }, { "description": "The relative path in the workspace to the stored data json", "name": "data", "type": "string" }, { "description": "The relative path in the workspace to the results directory", "name": "resultsDir", "type": "string" }, { "description": "single component mode", "name": "singleComponentMode", "type": "string" }, { "description": "name of Snapshot resource", "name": "snapshotName", "type": "string" }, { "description": "namespace where Snapshot is located", "name": "snapshotNamespace", "type": "string" }, { "description": "Build Id where Snapshot originated", "name": "snapshotBuildId", "type": "string" }, { "description": "json object containing git resolver metadata about the running release pipeline", "name": "releasePipelineMetadata", "type": "string" }, { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" }, { "description": "Subdirectory inside the workspace to be used", "name": "subdirectory", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "50m", "memory": "64Mi" } }, "env": [ { "name": "RELEASE", "value": "default-tenant/tsf-demo-app-20260425-083920-000-f531195-x7qn4" }, { "name": "RELEASE_PLAN", "value": "default-tenant/tsf-release" }, { "name": "RELEASE_PLAN_ADMISSION", "value": "default-managed-tenant-c009b/tsf-release" }, { "name": "RELEASE_SERVICE_CONFIG", "value": "release-service/release-service-config" }, { "name": "SNAPSHOT", "value": "default-tenant/tsf-demo-app-20260425-083920-000" } ], "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-data", "script": "#!/usr/bin/env bash\nset -eo pipefail\n\nif [ -f \"/mnt/trusted-ca/ca-bundle.crt\" ]; then\n export SSL_CERT_FILE=\"/mnt/trusted-ca/ca-bundle.crt\"\nfi\n\nset -x\necho -n \"f047ab00-5f5f-4427-9850-23932682dd3e\" \u003e \"/tekton/results/subdirectory\"\n\nRESULTS_DIR_PATH=\"results\"\nif [ -n \"f047ab00-5f5f-4427-9850-23932682dd3e\" ]; then\n mkdir -p \"/var/workdir/release/f047ab00-5f5f-4427-9850-23932682dd3e\"\n RESULTS_DIR_PATH=\"f047ab00-5f5f-4427-9850-23932682dd3e/results\"\nfi\n\nmkdir -p \"/var/workdir/release/$RESULTS_DIR_PATH\"\necho -n \"$RESULTS_DIR_PATH\" \u003e \"/tekton/results/resultsDir\"\n\nRELEASE_PATH=\"f047ab00-5f5f-4427-9850-23932682dd3e/release.json\"\necho -n \"$RELEASE_PATH\" \u003e \"/tekton/results/release\"\nget-resource \"release\" \"${RELEASE}\" | tee \"/var/workdir/release/$RELEASE_PATH\"\n\nRELEASEPLAN_PATH=\"f047ab00-5f5f-4427-9850-23932682dd3e/release_plan.json\"\necho -n \"$RELEASEPLAN_PATH\" \u003e \"/tekton/results/releasePlan\"\nget-resource \"releaseplan\" \"${RELEASE_PLAN}\" | tee \"/var/workdir/release/$RELEASEPLAN_PATH\"\n\nRELEASEPLANADMISSION_PATH=\"f047ab00-5f5f-4427-9850-23932682dd3e/release_plan_admission.json\"\necho -n \"$RELEASEPLANADMISSION_PATH\" \u003e \"/tekton/results/releasePlanAdmission\"\nget-resource \"releaseplanadmission\" \"${RELEASE_PLAN_ADMISSION}\" \\\n | tee \"/var/workdir/release/$RELEASEPLANADMISSION_PATH\"\n\nRELEASESERVICECONFIG_PATH=\"f047ab00-5f5f-4427-9850-23932682dd3e/release_service_config.json\"\necho -n \"$RELEASESERVICECONFIG_PATH\" \u003e \"/tekton/results/releaseServiceConfig\"\nget-resource \"releaseserviceconfig\" \"${RELEASE_SERVICE_CONFIG}\" \\\n | tee \"/var/workdir/release/$RELEASESERVICECONFIG_PATH\"\n\necho -e \"\\nFetching Snapshot Spec\"\nSNAPSHOTSPEC_PATH=\"f047ab00-5f5f-4427-9850-23932682dd3e/snapshot_spec.json\"\necho -n \"$SNAPSHOTSPEC_PATH\" \u003e \"/tekton/results/snapshotSpec\"\nget-resource \"snapshot\" \"${SNAPSHOT}\" \"{.spec}\" \\\n | jq '(if .componentGroup == null then .componentGroup = .application else . end) | del(.application)' \\\n | tee \"/var/workdir/release/$SNAPSHOTSPEC_PATH\"\nlabels=$(get-resource \"snapshot\" \"${SNAPSHOT}\" \"{.metadata.labels}\")\nBUILD_ID=$(jq -r '.\"appstudio.openshift.io/build-pipelinerun\" // \"\"' \u003c\u003c\u003c \"${labels}\")\necho -n \"${BUILD_ID}\" | tee \"/tekton/results/snapshotBuildId\"\n\necho -e \"\\nGenerating collectors data\"\ncollectors_status=$(get-resource \"release\" \"${RELEASE}\" \"{.status.collectors}\")\necho \"***collectors status\"\necho \"${collectors_status}\"\necho \"***\"\n\ncollectors_result=$(jq -c '\n def deepmerge(a; b):\n reduce b[] as $item (a;\n reduce ($item | keys_unsorted[]) as $key (.;\n $item[$key] as $val | ($val | type) as $type | .[$key] = if ($type == \"object\") then\n deepmerge({}; [if .[$key] == null then {} else .[$key] end, $val])\n elif ($type == \"array\") then\n (.[$key] + $val | unique)\n else\n $val\n end)\n );\n\n # Ensure we safely handle missing collectors\n (.? // {}) as $collectors |\n\n # Flatten and combine the managed and tenant sections\n [($collectors.managed? // {} | to_entries | map(.value)) +\n ($collectors.tenant? // {} | to_entries | map(.value))] |\n flatten |\n deepmerge({}; .)\n' \u003c\u003c\u003c \"${collectors_status}\")\necho \"***collectors\"\njq \u003c\u003c\u003c \"$collectors_result\"\necho \"***\"\n\necho -e \"\\nFetching merged data json\"\nrelease_result=$(get-resource \"release\" \"${RELEASE}\" \"{.spec.data}\")\n\nrelease_plan_result=$(get-resource \"releaseplan\" \"${RELEASE_PLAN}\" \"{.spec.data}\")\n\nrelease_plan_admission_result=$(get-resource \"releaseplanadmission\" \"${RELEASE_PLAN_ADMISSION}\" \\\n \"{.spec.data}\")\n\n# Merge collectors and Release keys. Release has higher priority\nmerged_output=$(merge-json \"$collectors_result\" \"$release_result\")\n\n# Merge now with ReleasePlan keys. ReleasePlan has higher priority\nmerged_output=$(merge-json \"$merged_output\" \"$release_plan_result\")\n\n# Finally merge with ReleasePlanAdmission keys. ReleasePlanAdmission has higher priority\nmerged_output=$(merge-json \"$merged_output\" \"$release_plan_admission_result\")\n\nDATA_PATH=\"f047ab00-5f5f-4427-9850-23932682dd3e/data.json\"\necho -n \"$DATA_PATH\" \u003e \"/tekton/results/data\"\necho \"$merged_output\" | tee \"/var/workdir/release/$DATA_PATH\"\n\n# get pipeline ref info\npipelineref=$(jq -c '.spec.pipeline.pipelineRef' \\\n \"/var/workdir/release/f047ab00-5f5f-4427-9850-23932682dd3e/release_plan_admission.json\")\nresolver=$(jq -r '.resolver // \"\"' \u003c\u003c\u003c \"${pipelineref}\")\nif [ \"${resolver}\" == \"git\" ] ; then\n url=$(jq -r '.params[] | select(.name==\"url\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n revision=$(jq -r '.params[] | select(.name==\"revision\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n pathinrepo=$(jq -r '.params[] | select(.name==\"pathInRepo\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n orgrepo=\"${url#*/*/*/}\"\n org=$(echo \"${orgrepo}\" | cut -f1 -d/)\n repo=$(echo \"${orgrepo}\" | cut -f2 -d/ | cut -d. -f1)\n\n sha=$(curl -s \"https://api.github.com/repos/${org}/${repo}/commits/${revision}\" | jq -r '.sha // \"\"')\n\nfi\n\norg=\"${org:-unknown}\"\nrepo=\"${repo:-unknown}\"\nrevision=\"${revision:-unknown}\"\npathinrepo=\"${pathinrepo:-unknown}\"\nsha=\"${sha:-unknown}\"\n\necho \"\"\necho \"Release Pipeline Ref Info:\"\necho \"--------------------------\"\n\njson=$(jq -n -c \\\n --arg org \"${org}\" \\\n --arg repo \"${repo}\" \\\n --arg revision \"${revision}\" \\\n --arg pathinrepo \"${pathinrepo}\" \\\n --arg sha \"${sha}\" \\\n '$ARGS.named')\n\necho \"${json}\" \u003e \"/tekton/results/releasePipelineMetadata\"\n# pretty print for log message\njq . \u003c\u003c\u003c \"$json\"\n\nSINGLE_COMPONENT_MODE=$(jq -r '.singleComponentMode // \"false\"' \"/var/workdir/release/$DATA_PATH\")\nSNAPSHOT_NAME=$(echo \"${SNAPSHOT}\" | cut -f2 -d/)\nSNAPSHOT_NAMESPACE=$(echo \"${SNAPSHOT}\" | cut -f1 -d/)\n\necho -n \"${SINGLE_COMPONENT_MODE}\" | tee \"/tekton/results/singleComponentMode\"\necho -n \"${SNAPSHOT_NAME}\" | tee \"/tekton/results/snapshotName\"\necho -n \"${SNAPSHOT_NAMESPACE}\" | tee \"/tekton/results/snapshotNamespace\"\n" }, { "computeResources": { "limits": { "memory": "32Mi" }, "requests": { "cpu": "10m", "memory": "32Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "check-data-key-sources", "script": "#!/usr/bin/env bash\nset -ex\n\nDISALLOWED_KEYS_JSON='{\n \"Release\": [\n \"releaseNotes.product_id\",\n \"releaseNotes.product_name\",\n \"releaseNotes.product_version\",\n \"releaseNotes.product_stream\",\n \"releaseNotes.cpe\",\n \"releaseNotes.allow_custom_live_id\"\n ],\n \"ReleasePlan\": [\n \"releaseNotes.product_id\",\n \"releaseNotes.product_name\",\n \"releaseNotes.product_version\",\n \"releaseNotes.product_stream\",\n \"releaseNotes.cpe\",\n \"releaseNotes.allow_custom_live_id\"\n ],\n \"ReleasePlanAdmission\": [\n ]\n}'\n\nRC=0\n\ncheck_source () { # Expected arguments are [CRD from DISALLOWED_KEYS_JSON, file]\n for KEY in $(jq -r \".$1[]\" \u003c\u003c\u003c \"$DISALLOWED_KEYS_JSON\") ; do\n if [[ $(jq \".spec.data.$KEY\" \"$2\") != \"null\" ]] ; then\n echo \"Found disallowed key: $KEY in resource $1\"\n RC=1\n fi\n done\n}\n\ncheck_source \"Release\" \"/var/workdir/release/f047ab00-5f5f-4427-9850-23932682dd3e/release.json\"\ncheck_source \"ReleasePlan\" \"/var/workdir/release/f047ab00-5f5f-4427-9850-23932682dd3e/release_plan.json\"\ncheck_source \"ReleasePlanAdmission\" \\\n \"/var/workdir/release/f047ab00-5f5f-4427-9850-23932682dd3e/release_plan_admission.json\"\n\nexit $RC\n" }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=84", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083920-000-f531195-x7qn4", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-vbzktl", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998372575", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-wjhlte", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-vbzktl", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/f047ab00-5f5f-4427-9850-23932682dd3e/records/a5be9f4e-acfe-43e9-9d22-78eaf79804f9", "results.tekton.dev/result": "default-managed-tenant-c009b/results/f047ab00-5f5f-4427-9850-23932682dd3e", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:47:39Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083920-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083920-000-f531195-x7qn4", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-9z42m", "tekton.dev/pipelineRunUID": "f047ab00-5f5f-4427-9850-23932682dd3e", "tekton.dev/pipelineTask": "verify-access-to-resources", "tekton.dev/task": "verify-access-to-resources" }, "name": "managed-9z42m-verify-access-to-resources", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-9z42m", "uid": "f047ab00-5f5f-4427-9850-23932682dd3e" } ], "resourceVersion": "48366", "uid": "a5be9f4e-acfe-43e9-9d22-78eaf79804f9" }, "spec": { "params": [ { "name": "release", "value": "default-tenant/tsf-demo-app-20260425-083920-000-f531195-x7qn4" }, { "name": "releasePlan", "value": "default-tenant/tsf-release" }, { "name": "releasePlanAdmission", "value": "default-managed-tenant-c009b/tsf-release" }, { "name": "releaseServiceConfig", "value": "release-service/release-service-config" }, { "name": "snapshot", "value": "default-tenant/tsf-demo-app-20260425-083920-000" }, { "name": "requireInternalServices", "value": "false" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/verify-access-to-resources/verify-access-to-resources.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:47:46Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:47:46Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-9z42m-verify-access-to-resources-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/verify-access-to-resources/verify-access-to-resources.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "startTime": "2026-04-25T08:47:39Z", "steps": [ { "container": "step-verify-access-to-resources", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "verify-access-to-resources", "terminated": { "containerID": "cri-o://da8957616e2cd168afe7691dfcf3b6298f941de8f66dc4c532099cc6b9dd74ac", "exitCode": 0, "finishedAt": "2026-04-25T08:47:46Z", "reason": "Completed", "startedAt": "2026-04-25T08:47:45Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This Tekton task is used to verify access to various resources in the pipelines. It ensures that the necessary\nresources, such as the release, release plan, release plan admission, release service config and snapshot,\nare available and accessible. Additionally, it checks if internal requests can be created if\n`requireInternalServices` is set to `true`.", "params": [ { "description": "Namespace/name of the Release", "name": "release", "type": "string" }, { "description": "Namespace/name of the ReleasePlan", "name": "releasePlan", "type": "string" }, { "description": "Namespace/name of the ReleasePlanAdmission", "name": "releasePlanAdmission", "type": "string" }, { "description": "Namespace/name of the ReleaseServiceConfig", "name": "releaseServiceConfig", "type": "string" }, { "description": "Namespace/name of the Snapshot", "name": "snapshot", "type": "string" }, { "default": "false", "description": "Whether internal services are required", "name": "requireInternalServices", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "stepTemplate": { "computeResources": {}, "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "computeResources": { "limits": { "memory": "100Mi" }, "requests": { "cpu": "10m", "memory": "100Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "verify-access-to-resources", "script": "#!/usr/bin/env bash\n\nORIGIN_NAMESPACE=\"$(cut -f1 -d/ \u003c\u003c\u003c \"default-tenant/tsf-demo-app-20260425-083920-000-f531195-x7qn4\")\"\nTARGET_NAMESPACE=\"$(cut -f1 -d/ \u003c\u003c\u003c \"default-managed-tenant-c009b/tsf-release\")\"\nRSC_NAMESPACE=\"$(cut -f1 -d/ \u003c\u003c\u003c \"release-service/release-service-config\")\"\n\nRELEASE_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"default-tenant/tsf-demo-app-20260425-083920-000-f531195-x7qn4\")\"\nRELEASEPLAN_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"default-tenant/tsf-release\")\"\nRELEASEPLANADMISSION_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"default-managed-tenant-c009b/tsf-release\")\"\nRELEASESERVICECONFIG_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"release-service/release-service-config\")\"\nSNAPSHOT_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"default-tenant/tsf-demo-app-20260425-083920-000\")\"\n\nCAN_I_READ_RELEASES=\"$(kubectl auth can-i get release/\"${RELEASE_NAME}\" -n \"${ORIGIN_NAMESPACE}\")\"\nCAN_I_READ_RELEASEPLANS=\"$(kubectl auth can-i get releaseplan/\"${RELEASEPLAN_NAME}\"\\\n -n \"${ORIGIN_NAMESPACE}\")\"\nCAN_I_READ_RELEASEPLANADMISSIONS=\"$(kubectl auth can-i get\\\n releaseplanadmission/\"${RELEASEPLANADMISSION_NAME}\" -n \"${TARGET_NAMESPACE}\")\"\nCAN_I_READ_RELEASESERVICECONFIG=\"$(kubectl auth can-i get\\\n releaseserviceconfig/\"${RELEASESERVICECONFIG_NAME}\" -n \"${RSC_NAMESPACE}\")\"\nCAN_I_READ_SNAPSHOTS=\"$(kubectl auth can-i get snapshot/\"${SNAPSHOT_NAME}\" -n \"${ORIGIN_NAMESPACE}\")\"\n\nif [ \"false\" = \"true\" ]; then\n CAN_I_CREATE_INTERNALREQUESTS=\"$(kubectl auth can-i create internalrequest -n \"${TARGET_NAMESPACE}\")\"\nelse\n CAN_I_CREATE_INTERNALREQUESTS=\"skipped\"\nfi\n\necho \"\"\necho \"CAN_I_READ_RELEASES? ${CAN_I_READ_RELEASES}\"\necho \"CAN_I_READ_RELEASEPLANS? ${CAN_I_READ_RELEASEPLANS}\"\necho \"CAN_I_READ_RELEASEPLANADMISSIONS? ${CAN_I_READ_RELEASEPLANADMISSIONS}\"\necho \"CAN_I_READ_RELEASESERVICECONFIG? ${CAN_I_READ_RELEASESERVICECONFIG}\"\necho \"CAN_I_READ_SNAPSHOTS? ${CAN_I_READ_SNAPSHOTS}\"\necho \"\"\necho \"CAN_I_CREATE_INTERNALREQUESTS? ${CAN_I_CREATE_INTERNALREQUESTS}\"\necho \"\"\n\nif [ \"${CAN_I_READ_RELEASES}\" = \"no\" ] ||\\\n [ \"${CAN_I_READ_RELEASEPLANS}\" = \"no\" ] ||\\\n [ \"${CAN_I_READ_RELEASEPLANADMISSIONS}\" = \"no\" ] ||\\\n [ \"${CAN_I_READ_RELEASESERVICECONFIG}\" = \"no\" ] ||\\\n [ \"${CAN_I_READ_SNAPSHOTS}\" = \"no\" ] ||\\\n [ \"${CAN_I_CREATE_INTERNALREQUESTS}\" = \"no\" ] ; then\n echo \"Error: Cannot read or create required Release resources!\"\n echo \"\"\n echo \"This indicates that your workspace is not correctly setup\"\n echo \"Please reach out to a workspace administrator\"\n exit 1\nfi\n\necho \"Access to Release resources verified\"\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=67", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/cac1c5c9-151a-4d4d-9ffa-e0854ad87d53", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:44:42Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "apply-mapping", "tekton.dev/task": "apply-mapping" }, "name": "managed-gfn6w-apply-mapping", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "45908", "uid": "cac1c5c9-151a-4d4d-9ffa-e0854ad87d53" }, "spec": { "params": [ { "name": "failOnEmptyResult", "value": "true" }, { "name": "dataPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/data.json" }, { "name": "snapshotPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:02e6cd4768090506f283e730df40aba39fe316a42157218ef0a78f341fb99bde" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "retries": 3, "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/apply-mapping/apply-mapping.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:54Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:54Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-apply-mapping-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/apply-mapping/apply-mapping.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "mapped", "type": "string", "value": "true" }, { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:6ad3f682b24cb86ce3cb659e346b1b333452204818c5c744b9cd41af27b5dff3" } ], "startTime": "2026-04-25T08:44:42Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://3fc49ad2bac917a72676d8f1747097a5a3722a016e2201b2e9a7d547f49bb0c5", "exitCode": 0, "finishedAt": "2026-04-25T08:44:49Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:49Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://6702491af8da0888d5757aede394547ac88ee450c2deb9ede83b7d844644910d", "exitCode": 0, "finishedAt": "2026-04-25T08:44:53Z", "message": "[{\"key\":\"mapped\",\"value\":\"true\",\"type\":1},{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:6ad3f682b24cb86ce3cb659e346b1b333452204818c5c744b9cd41af27b5dff3\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:52Z" }, "terminationReason": "Completed" }, { "container": "step-apply-mapping", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "apply-mapping", "terminated": { "containerID": "cri-o://f61ec4f3a0158e5ff50019af46d37bbb3d38e26cfd5ea9684b5d386de94b79f7", "exitCode": 0, "finishedAt": "2026-04-25T08:44:52Z", "message": "[{\"key\":\"mapped\",\"value\":\"true\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:50Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to apply a mapping to a Snapshot.\n\nThe purpose of this task is to merge a mapping with the components contained in a Snapshot.\nThe mapping is expected to be present in the data field of the ReleasePlanAdmission provided in\nthe `releasePlanAdmissionPath`. If the data field does not contain a `mapping` key, the original\nSnapshot is returned. If there is a `mapping` key, it is merged with the `components` key in the\nSnapshot based on component name.\n\nA `mapped` result is also returned from this task containing a simple true/false value that is\nmeant to inform whether a mapped Snapshot is being returned or the original one.\n\nThis task supports variable expansion in tag values from the mapping. The currently supported variables are:\n* \"{{ timestamp }}\" -\u003e The build-date label from the image in the format provided by timestampFormat or %s as the\n default.\n If the build-date label is not available, we use the Created field in the image metadata as a fallback.\n* \"{{ release_timestamp }}\" -\u003e The current time in the format provided by timestampFormat or %s as the default\n* \"{{ git_sha }}\" -\u003e The git sha that triggered the snapshot being processed\n* \"{{ git_short_sha }}\" -\u003e The git sha reduced to 7 characters\n* \"{{ digest_sha }}\" -\u003e The image digest of the respective component\n* \"{{ incrementer }}\" -\u003e Automatically finds the highest existing incremented tag in the\n repository and generates the next sequential tag (e.g., if the highest tag is v1.0.0-2, it will generate v1.0.0-3)\n* \"{{ oci_version }}\" -\u003e The version from OCI image annotations (org.opencontainers.image.version), with fallback\n to OCI image labels if not present in annotations (converts + to _ for tag compliance)\n\nYou can also expand image labels, e.g. \"{{ labels.mylabel }}\" -\u003e The value of image label \"mylabel\"", "params": [ { "description": "Path to the JSON string of the Snapshot spec in the config workspace to apply the mapping to", "name": "snapshotPath", "type": "string" }, { "description": "Path to the JSON string of the merged data to use in the data workspace", "name": "dataPath", "type": "string" }, { "default": "false", "description": "Fail the task if the resulting snapshot contains 0 components", "name": "failOnEmptyResult", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "false", "description": "When \"true\", for each repository the resolved {{ timestamp }} value is added to the list of\ntags after translation (deduplicated). Fails if timestamp is empty. Only pipelines referencing\nthe check-labels task should set this to \"true\"\n", "name": "addImplicitTimestampTag", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "A true/false value depicting whether or not the snapshot was mapped.", "name": "mapped", "type": "string" }, { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:02e6cd4768090506f283e730df40aba39fe316a42157218ef0a78f341fb99bde=/var/workdir/release" ], "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "1", "memory": "64Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "apply-mapping", "script": "#!/usr/bin/env bash\nset -euxo pipefail\n\nif [ -f \"/mnt/trusted-ca/ca-bundle.crt\" ]; then\n export SSL_CERT_FILE=\"/mnt/trusted-ca/ca-bundle.crt\"\nfi\n\nSNAPSHOT_SPEC_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\"\nDATA_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\"\nSNAPSHOT_SPEC_FILE_ORIG=\"${SNAPSHOT_SPEC_FILE}.orig\"\n\nif [ ! -f \"${SNAPSHOT_SPEC_FILE}\" ] ; then\n echo \"No valid snapshot file was found.\"\n exit 1\nfi\n\n# Copy the original Snapshot spec file before overriding\ncp \"${SNAPSHOT_SPEC_FILE}\" \"${SNAPSHOT_SPEC_FILE_ORIG}\"\n\nif [ ! -f \"${DATA_FILE}\" ] ; then\n echo \"No data JSON file was found.\"\n printf \"false\" | tee \"/tekton/results/mapped\"\n exit 0\nfi\n\nMAPPING=$(jq '.mapping' \"${DATA_FILE}\")\n\nif [[ $MAPPING == \"null\" ]] ; then\n echo \"Data file contains no mapping key.\"\n printf \"false\" | tee \"/tekton/results/mapped\"\n exit 0\nfi\n\n# Function to handle incrementer logic\nincrement_tag() {\n local tag_template=\"$1\"\n local repo=\"$2\"\n\n # Use `skopeo list-tags` to fetch all tags from the repository\n existing_tags=$(skopeo list-tags --retry-times 3 docker://\"${repo}\" | jq -r '.Tags[]')\n\n # Remove `{{ incrementer }}` placeholder to get the version prefix for regex pattern\n # shellcheck disable=SC2001\n version_prefix=$(echo \"${tag_template}\" | sed 's/{{ incrementer }}//g')\n # Match tags with 1–6 digit increments only. Ignore 7+ digit tags to avoid\n # treating short commit SHAs as incrementer values\n tag_pattern=\"^${version_prefix}[0-9]{1,6}$\"\n\n # Extract the numeric part of existing tags and find the max increment\n max_increment=$(echo \"${existing_tags}\" | { grep -E \"${tag_pattern}\" || true; } \\\n | sed -E \"s/${version_prefix}//\" | sort -nr | head -n1)\n\n # Calculate the next increment (default to 1 if max_increment is empty or unset)\n # Use 10# to force decimal input preventing leading 0 from being treated as octal\n increment=$((10#${max_increment:-0} + 1))\n\n # Substitute `{{ incrementer }}` in the tag template with the calculated increment\n tag=\"${tag_template//\\{\\{ incrementer \\}\\}/${increment}}\"\n\n # Validate the final tag format to avoid malformed tags\n if [[ ! \"${tag}\" =~ ^[a-zA-Z0-9._-]+$ ]]; then\n echo \"Error: Invalid tag format after substitution: ${tag}\"\n exit 1\n fi\n\n echo \"$tag\" # Return the final tag\n}\n\n# Expected arguments are: [variable, substitute_map, labels_map]\nsubstitute() {\n variable=$1\n substitute_map=$2\n labels_map=$3\n\n result=\"\"\n if [[ \"$variable\" == labels.* ]]; then\n label=\"${variable#labels.}\"\n result=\"$(jq -r --arg labelval \"$label\" '.[$labelval] // \"\"' \u003c\u003c\u003c \"${labels_map}\")\"\n else\n result=\"$(jq -r --arg variable \"$variable\" '.[$variable] // \"\"' \u003c\u003c\u003c \"${substitute_map}\")\"\n fi\n echo \"$result\"\n}\n\n# When addImplicitTimestampTag is true, append the resolved timestamp value to the\n# translated tag list (and deduplicate). Fails if timestamp is empty. Only used by\n# the rh-advisories pipeline.\nensure_implicit_timestamp_value() {\n local tags_json=\"$1\"\n local timestamp_val=\"$2\"\n if [ \"false\" != \"true\" ]; then\n echo \"$tags_json\"\n return\n fi\n if [ -z \"$timestamp_val\" ]; then\n echo \"Error: addImplicitTimestampTag is true but timestamp is empty (no build-date or Created).\" \u003e\u00262\n exit 1\n fi\n echo \"$tags_json\" | jq -c --arg ts \"$timestamp_val\" '. + [$ts] | unique'\n}\n\n# Expected arguments are [tags, substitute_map, labels_map, repo]\n# The tags argument is a json array\ntranslate_tags () {\n tags=$1\n substitute_map=$2\n labels_map=$3\n repo=$4\n if [ \"$tags\" = '' ] ; then\n echo ''\n return\n fi\n\n translated_tags='[]'\n NUM_TAGS=\"$(jq 'length' \u003c\u003c\u003c \"${tags}\")\"\n for ((i = 0; i \u003c NUM_TAGS; i++)); do\n tag=\"$(jq -r --argjson i \"$i\" '.[$i]' \u003c\u003c\u003c \"${tags}\")\"\n\n # Repeatedly translate {{}} references until none are left\n while [[ $tag =~ \\{\\{\\ *([[:alnum:]_\\.-]+)\\ *\\}\\} ]]; do\n # Extract the variable name (e.g., timestamp), trimming any surrounding spaces\n var_name=\"${BASH_REMATCH[1]}\"\n\n # Sanity check of the template variable name\n if [[ ! \"$var_name\" =~ ^[a-zA-Z0-9._-]+$ ]]; then\n echo \"Error: Invalid variable name in tag definition: $var_name\" \u003e\u00262\n exit 1\n fi\n\n # Handle incrementer logic\n if [[ \"$var_name\" == \"incrementer\" ]]; then\n tag=$(increment_tag \"$tag\" \"$repo\")\n else\n replacement=$(substitute \"$var_name\" \"$substitute_map\" \"$labels_map\")\n if [ -z \"$replacement\" ]; then\n echo Error: Substitution variable unknown or empty: \"$var_name\" \u003e\u00262\n exit 1\n fi\n # Shellcheck suggests ${var//find/replace}, but\n # that won't work here - we need to match arbitrary amount of spaces\n # shellcheck disable=SC2001\n tag=\"$(sed \"s/{{ *$var_name *}}/$replacement/\" \u003c\u003c\u003c \"$tag\")\"\n fi\n done\n\n # Sanity check of the resulting tag value\n if [[ ! \"$tag\" =~ ^[a-zA-Z0-9._-]+$ ]]; then\n echo \"Error: Invalid tag format: $tag\" \u003e\u00262\n exit 1\n fi\n\n # Avoid duplicate tags - only add a tag if not already present\n if [ \"$(jq -c --arg tag \"$tag\" 'index($tag)' \u003c\u003c\u003c \"$translated_tags\")\" = null ]\n then\n translated_tags=\"$(jq -c --arg tag \"$tag\" '. + [$tag]' \u003c\u003c\u003c \"$translated_tags\")\"\n fi\n done\n\n echo \"$translated_tags\"\n}\n\nconvert_to_quay () { # Convert the registry.redhat.io URL to the quay.io format\n local repository=$1\n case \"$repository\" in\n registry.redhat.io/*)\n echo \"${repository/registry.redhat.io/quay.io/redhat-prod}\" \\\n | sed 's|/|----|g; s|quay.io----redhat-prod----|quay.io/redhat-prod/|'\n ;;\n registry.stage.redhat.io/*)\n echo \"${repository/registry.stage.redhat.io/quay.io/redhat-pending}\" \\\n | sed 's|/|----|g; s|quay.io----redhat-pending----|quay.io/redhat-pending/|'\n ;;\n flatpaks.registry.redhat.io/*)\n echo \"${repository/flatpaks.registry.redhat.io/quay.io/rh-flatpaks-prod}\" \\\n | sed 's|/|----|g; s|quay.io----rh-flatpaks-prod----|quay.io/rh-flatpaks-prod/|'\n ;;\n flatpaks.registry.stage.redhat.io/*)\n echo \"${repository/flatpaks.registry.stage.redhat.io/quay.io/rh-flatpaks-stage}\" \\\n | sed 's|/|----|g; s|quay.io----rh-flatpaks-stage----|quay.io/rh-flatpaks-stage/|'\n ;;\n *)\n echo \"$repository\"\n ;;\n esac\n}\n\n# This block is temporary to support both quay.io and registry.redhat.io\n# It should be removed once all repositories are migrated to registry.redhat.io\nconvert_to_registry () { # Convert the repository URL to the registry.redhat.io format\n local repository=$1\n case \"$repository\" in\n quay.io/redhat-prod/*)\n repository=\"${repository//quay.io\\/redhat-prod/registry.redhat.io}\"\n repository=\"${repository//----//}\"\n echo \"$repository\"\n ;;\n quay.io/redhat-pending/*)\n repository=\"${repository//quay.io\\/redhat-pending/registry.stage.redhat.io}\"\n repository=\"${repository//----//}\"\n echo \"$repository\"\n ;;\n quay.io/rh-flatpaks-prod/*)\n repository=\"${repository//quay.io\\/rh-flatpaks-prod/flatpaks.registry.redhat.io}\"\n repository=\"${repository//----//}\"\n echo \"$repository\"\n ;;\n quay.io/rh-flatpaks-stage/*)\n repository=\"${repository//quay.io\\/rh-flatpaks-stage/flatpaks.registry.stage.redhat.io}\"\n repository=\"${repository//----//}\"\n echo \"$repository\"\n ;;\n registry.redhat.io/* | registry.stage.redhat.io/*)\n # Return the original Red Hat registry paths\n echo \"$repository\"\n ;;\n *)\n # Return empty for unhandled formats\n echo \"\"\n ;;\n esac\n}\n\nconvert_to_registry_access () { # Convert the repository URL to the registry.access.redhat.com format\n local repository=$1\n case \"$repository\" in\n registry.redhat.io/*)\n echo \"${repository/registry.redhat.io/registry.access.redhat.com}\"\n ;;\n registry.stage.redhat.io/*)\n echo \"${repository/registry.stage.redhat.io/registry.access.stage.redhat.com}\"\n ;;\n *)\n echo \"\"\n ;;\n esac\n}\n\n# Merge the mapping key contents in the data JSON file with the components key in the snapshot based\n# on component name. Save the output as a compact JSON in the mapped_snapshot.json file in the workspace\n{ echo -n \"$(cat \"${SNAPSHOT_SPEC_FILE_ORIG}\")\"; echo \"${MAPPING}\"; } | jq -c -s '\n .[0] as $snapshot | .[0].components + .[1].components | group_by(.name) |\n [.[] | select(length \u003e 1)] | map(reduce .[] as $x ({}; . * $x)) as $mergedComponents |\n $snapshot | .components = $mergedComponents' \u003e \"${SNAPSHOT_SPEC_FILE}\"\n\nprintf \"true\" | tee \"/tekton/results/mapped\"\n\nif [ \"true\" = \"true\" ] \u0026\u0026 \\\n [ \"$(jq '.components | length' \u003c \"${SNAPSHOT_SPEC_FILE}\")\" -eq 0 ]; then\n echo \"ERROR: Resulting snapshot contains 0 components. This means that there were 0 components present in\"\n echo \"both your Snapshot and your ReleasePlanAdmission mapping. Take a look at your component names and\"\n echo \"make sure that all components you want to release from the snapshot are present in the\"\n echo \"ReleasePlanAdmission (by the name field of the component).\"\n echo \"Components in snapshot: $(jq -c '[.components[].name]' \"${SNAPSHOT_SPEC_FILE_ORIG}\")\"\n echo \"Components in mapping: $(jq -c '[.components[].name]' \u003c\u003c\u003c \"${MAPPING}\")\"\n exit 1\nfi\n\n# Expand the tags in the data file\ndefaultTags=$(jq '.defaults.tags // []' \u003c\u003c\u003c \"$MAPPING\")\ndefaultTimestampFormat=$(jq -r '.defaults.timestampFormat // \"%s\"' \u003c\u003c\u003c \"$MAPPING\")\ncurrentTimestamp=\"$(date \"+%Y%m%d %T\")\"\ndefaultCGWSettings=$(jq -c '.defaults.contentGateway // {}' \u003c\u003c\u003c \"$MAPPING\")\nNUM_MAPPED_COMPONENTS=$(jq '.components | length' \"${SNAPSHOT_SPEC_FILE}\")\nfor ((i = 0; i \u003c NUM_MAPPED_COMPONENTS; i++)) ; do\n component=$(jq -c --argjson i \"$i\" '.components[$i]' \"${SNAPSHOT_SPEC_FILE}\")\n componentTags=$(jq '.componentTags // []' \u003c\u003c\u003c \"$component\")\n defaultComponentTags=$(jq -n --argjson defaults \"$defaultTags\" --argjson componentTags \\\n \"$componentTags\" '$defaults? + $componentTags? | unique')\n\n # images are required to use sha reference - check this\n NAME=$(jq -r '.name' \u003c\u003c\u003c \"$component\")\n IMAGE_REF=$(jq -r '.containerImage' \u003c\u003c\u003c \"$component\")\n if ! [[ \"$IMAGE_REF\" =~ ^.+@sha256:[0-9a-f]+$ ]] ; then\n echo \"Component ${NAME} contains an invalid containerImage value. sha reference is required: ${IMAGE_REF}\"\n exit 1\n fi\n\n git_sha=$(jq -r '.source.git.revision' \u003c\u003c\u003c \"$component\") # this sets the value to \"null\" if it doesn't exist\n build_sha=${IMAGE_REF##*:}\n passedTimestampFormat=$(jq -r --arg default \"$defaultTimestampFormat\" \\\n '.timestampFormat // $default' \u003c\u003c\u003c \"$component\")\n release_timestamp=\"$(date -d \"$currentTimestamp\" \"+$passedTimestampFormat\")\"\n arch_json=\"$(get-image-architectures \"${IMAGE_REF}\")\"\n # The build-date label and Created values are not the same per architecture, but we don't support separate\n # tags per arch. So, we just use the first digest listed.\n arch=\"$(jq -rs 'map(.platform.architecture) | .[0]' \u003c\u003c\u003c \"$arch_json\")\"\n os=\"$(jq -rs 'map(.platform.os) | .[0]' \u003c\u003c\u003c \"$arch_json\")\"\n\n # Get first digest from architecture info to construct image reference\n first_digest=\"$(jq -rs '.[0].digest' \u003c\u003c\u003c \"$arch_json\")\"\n\n # Construct image reference with the first architecture's digest for annotations\n image_with_digest=\"${IMAGE_REF%@*}@${first_digest}\"\n\n # Get raw manifest to extract annotations (works for all image types)\n raw_manifest=\"$(skopeo inspect --retry-times 3 --no-tags --raw docker://\"${image_with_digest}\" | jq -c)\"\n annotations=\"$(jq -c '.annotations // {}' \u003c\u003c\u003c \"$raw_manifest\")\"\n\n # Get config.mediaType from raw manifest to determine if this is a standard container image\n config_media_type=\"$(jq -r '.config.mediaType // \"\"' \u003c\u003c\u003c \"$raw_manifest\")\"\n\n # Get image metadata for labels, env, build_date\n # Only standard container images support skopeo inspect without --raw\n # Standard config types are:\n # - application/vnd.oci.image.config.v1+json (OCI images)\n # - application/vnd.docker.container.image.v1+json (Docker images)\n # All other artifacts (Helm charts, ML models, empty configs, etc.) don't have\n # labels/env and would fail with skopeo inspect\n if [[ \"$config_media_type\" == \"application/vnd.oci.image.config.v1+json\" ]] || \\\n [[ \"$config_media_type\" == \"application/vnd.docker.container.image.v1+json\" ]]; then\n # Standard container images - use standard skopeo inspect\n image_metadata=\"$(skopeo inspect --retry-times 3 --no-tags \\\n --override-os \"${os}\" --override-arch \"${arch}\" docker://\"${IMAGE_REF}\" | jq -c)\"\n # For timestamp, use Labels.build-date and fallback to Created\n build_date=\"$(jq -r '.Labels.\"build-date\" // .Created // \"\"' \u003c\u003c\u003c \"$image_metadata\")\"\n env_variables=\"$(jq -c '.Env // []' \u003c\u003c\u003c \"${image_metadata}\")\"\n labels=\"$(jq -c '.Labels // {}' \u003c\u003c\u003c \"${image_metadata}\")\"\n else\n # Non-standard artifacts (Helm charts, ML models, etc.) don't support\n # standard skopeo inspect - get build_date from annotations if available\n build_date=\"$(jq -r '.[\"org.opencontainers.image.created\"] // \"\"' \u003c\u003c\u003c \"$annotations\")\"\n env_variables=\"[]\"\n labels=\"{}\"\n fi\n\n # Get oci_version_raw from annotations, fallback to labels\n oci_version_raw=\"$(jq -r '.[\"org.opencontainers.image.version\"] // \"\"' \u003c\u003c\u003c \"$annotations\")\"\n if [ -z \"$oci_version_raw\" ]; then\n oci_version_raw=\"$(jq -r '.[\"org.opencontainers.image.version\"] // \"\"' \u003c\u003c\u003c \"$labels\")\"\n fi\n\n # Add image env_variables metadata to component\n if [ \"$(jq 'length' \u003c\u003c\u003c \"$env_variables\")\" -ne 0 ] ; then\n env_file=$(mktemp)\n echo \"$env_variables\" \u003e \"$env_file\"\n jq --argjson i \"$i\" --slurpfile env \"$env_file\" \\\n '.components[$i].metadata = (.components[$i].metadata // {}) * {env_variables: $env[0]}' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n\n # Add image annotations metadata to component\n if [ \"$(jq 'length' \u003c\u003c\u003c \"$annotations\")\" -ne 0 ] ; then\n annotations_file=$(mktemp)\n # Convert annotations from {key: value} to [{name: key, value: value}]\n jq -c 'if . then to_entries | map({name: .key, value: .value}) else [] end' \\\n \u003c\u003c\u003c \"$annotations\" \u003e \"$annotations_file\"\n jq --argjson i \"$i\" --slurpfile annotations \"$annotations_file\" \\\n '.components[$i].metadata = (.components[$i].metadata // {}) * {annotations: $annotations[0]}' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n\n # Add image labels metadata to component\n if [ \"$(jq 'length' \u003c\u003c\u003c \"$labels\")\" -ne 0 ] ; then\n labels_file=$(mktemp)\n # Convert labels from {key: value} to [{name: key, value: value}]\n jq -c 'if . then to_entries | map({name: .key, value: .value}) else [] end' \\\n \u003c\u003c\u003c \"$labels\" \u003e \"$labels_file\"\n jq --argjson i \"$i\" --slurpfile labels \"$labels_file\" \\\n '.components[$i].metadata = (.components[$i].metadata // {}) * {labels: $labels[0]}' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n\n # Add media type to component\n if [ -n \"$config_media_type\" ]; then\n jq --argjson i \"$i\" --arg media_type \"$config_media_type\" \\\n '.components[$i].metadata = (.components[$i].metadata // {}) * {media_type: $media_type}' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n\n # Transform version to OCI tag format: replace + with _ (convention for OCI compliance)\n # Set default value if empty (common for regular container images without OCI annotations)\n oci_version=\"${oci_version_raw//+/_}\"\n oci_version=\"${oci_version:-unknown}\"\n\n if [ \"${build_date}\" = \"\" ] ; then\n timestamp=\"\"\n else\n timestamp=\"$(date -d \"${build_date}\" \"+$passedTimestampFormat\")\"\n fi\n\n substitute_map=\"$(jq -n -c \\\n --arg timestamp \"${timestamp}\" \\\n --arg release_timestamp \"${release_timestamp}\" \\\n --arg git_sha \"${git_sha}\" \\\n --arg git_short_sha \"${git_sha:0:7}\" \\\n --arg digest_sha \"${build_sha}\" \\\n --arg oci_version \"${oci_version}\" \\\n '$ARGS.named')\"\n\n # Also substitute filename values in the staged section of components\n STAGED_FILES=$(jq '.staged.files | length' \u003c\u003c\u003c \"$component\")\n for ((j = 0; j \u003c STAGED_FILES; j++)) ; do\n file=$(jq -c --argjson j \"$j\" '.staged.files[$j]' \u003c\u003c\u003c \"$component\")\n filenameArrayPreSubstitution=$(jq '.filename' \u003c\u003c\u003c \"$file\" | jq -cs)\n # {{ incrementer }} is not supported in staged.files values, so we just pass\n # \"\" as the repo argument\n subbedFilename=$(translate_tags \"${filenameArrayPreSubstitution}\" \\\n \"${substitute_map}\" \"${labels}\" \"\"| jq -r '.[0]')\n jq --argjson i \"$i\" --argjson j \"$j\" --arg filename \"$subbedFilename\" \\\n '.components[$i].staged.files[$j].filename = $filename' \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \\\n \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n done\n\n # apply defaults for contentGateway\n componentCGWSettings=$(jq -c '.contentGateway // {}' \u003c\u003c\u003c \"$component\")\n updatedComponentCGWSettings=$(merge-json \"$defaultCGWSettings\" \"$componentCGWSettings\")\n componentCGWSettingsSize=$(jq '. | length' \u003c\u003c\u003c \"${updatedComponentCGWSettings}\")\n\n if [ \"${componentCGWSettingsSize}\" -gt \"0\" ]; then\n jq --argjson i \"$i\" --argjson componentCGWSettings \"$updatedComponentCGWSettings\" \\\n '.components[$i].contentGateway = $componentCGWSettings' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n\n # *** Temporary code to maintain backwards compatibility and set .repositories[0] to .repository ***\n if [[ $(jq 'has(\"repository\")' \u003c\u003c\u003c \"$component\") == \"true\" ]] ; then\n repository=$(jq -r '.repository' \u003c\u003c\u003c \"$component\")\n echo \"Processing component: $NAME\"\n echo \"Original repository: $repository\"\n\n imageTags=$(jq '.tags // []' \u003c\u003c\u003c \"$component\")\n oldAllTagsPreSubstitution=$(jq -n --argjson defaults \"$defaultComponentTags\" --argjson imageTags \\\n \"$imageTags\" '$defaults? + $imageTags? | unique')\n oldTags=$(translate_tags \"${oldAllTagsPreSubstitution}\" \"${substitute_map}\" \"${labels}\" \"${repository}\")\n oldTags=$(ensure_implicit_timestamp_value \"${oldTags}\" \"${timestamp}\")\n if [ \"$(jq 'length' \u003c\u003c\u003c \"$oldTags\")\" -gt 0 ] ; then\n jq --argjson i \"$i\" --argjson updatedTags \"$oldTags\" '.components[$i].tags = $updatedTags' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n\n if [[ \"$repository\" == quay.io/redhat-prod/* || \"$repository\" == quay.io/redhat-pending/* ]]; then\n repository=$(convert_to_registry \"$repository\")\n fi\n\n if [[ \"$repository\" == registry.redhat.io/* || \"$repository\" == registry.stage.redhat.io/* ]]; then\n rh_registry_repo=$repository\n registry_access_repo=$(convert_to_registry_access \"$repository\")\n repository=$(convert_to_quay \"$repository\")\n\n jq --argjson i \"$i\" \\\n --arg repository \"$repository\" \\\n --arg rh_registry_repo \"$rh_registry_repo\" \\\n --arg registry_access_repo \"$registry_access_repo\" \\\n '(.components[$i].repository = $repository) |\n .components[$i][\"rh-registry-repo\"] = $rh_registry_repo |\n .components[$i][\"registry-access-repo\"] = $registry_access_repo' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n\n if [[ $(jq 'has(\"repositories\")' \u003c\u003c\u003c \"$component\") == \"false\" ]] ; then\n jq --argjson i \"$i\" --arg rh_registry_repo \"$rh_registry_repo\" \\\n --arg registry_access_repo \"$registry_access_repo\" \\\n '.components[$i].repositories[0][\"rh-registry-repo\"] = $rh_registry_repo |\n .components[$i].repositories[0][\"registry-access-repo\"] = $registry_access_repo' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n fi\n if [[ $(jq 'has(\"repositories\")' \u003c\u003c\u003c \"$component\") == \"false\" ]] ; then\n jq --argjson i \"$i\" --arg url \"$repository\" \\\n --argjson tags \"$oldTags\" \\\n '.components[$i].repositories[0].url = $url |\n .components[$i].repositories[0][\"tags\"] = $tags' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n fi\n # *** End of temporary code ***\n\n NUM_REPOSITORIES=$(jq '.repositories | length' \u003c\u003c\u003c \"$component\")\n for ((j = 0; j \u003c NUM_REPOSITORIES; j++)) ; do\n repository=$(jq -c --argjson j \"$j\" '.repositories[$j]' \u003c\u003c\u003c \"$component\")\n repoTags=$(jq '.tags // []' \u003c\u003c\u003c \"$repository\")\n url=$(jq -r '.url' \u003c\u003c\u003c \"$repository\")\n echo \"Processing component: $NAME, repository: $url\"\n\n allTagsPreSubstitution=$(jq -n --argjson defaults \"$defaultComponentTags\" --argjson repoTags \\\n \"$repoTags\" '$defaults? + $repoTags? | unique')\n tags=$(translate_tags \"${allTagsPreSubstitution}\" \"${substitute_map}\" \"${labels}\" \"${url}\")\n tags=$(ensure_implicit_timestamp_value \"${tags}\" \"${timestamp}\")\n if [ \"$(jq 'length' \u003c\u003c\u003c \"$tags\")\" -gt 0 ] ; then\n jq --argjson i \"$i\" --argjson j \"$j\" --argjson updatedTags \"$tags\" \\\n '.components[$i].repositories[$j].tags = $updatedTags' \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \\\n \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n\n # This block is temporary to support both quay.io and registry.redhat.io\n # It should be removed once all repositories are migrated to registry.redhat.io\n if [[ \"$url\" == quay.io/redhat-prod/* ||\n \"$url\" == quay.io/redhat-pending/* ||\n \"$url\" == quay.io/rh-flatpaks-prod/* ||\n \"$url\" == quay.io/rh-flatpaks-stage/* ]]; then\n url=$(convert_to_registry \"$url\")\n fi\n\n # Convert to registry and quay format\n if [[ \"$url\" == registry.redhat.io/* ||\n \"$url\" == registry.stage.redhat.io/* ||\n \"$url\" == flatpaks.registry.redhat.io/* ||\n \"$url\" == flatpaks.registry.stage.redhat.io/* ]]; then\n rh_registry_repo=$url\n registry_access_repo=$(convert_to_registry_access \"$url\")\n url=$(convert_to_quay \"$url\")\n\n jq --argjson i \"$i\" \\\n --argjson j \"$j\" \\\n --arg url \"$url\" \\\n --arg rh_registry_repo \"$rh_registry_repo\" \\\n --arg registry_access_repo \"$registry_access_repo\" \\\n '.components[$i].repositories[$j].url = $url |\n .components[$i].repositories[$j][\"rh-registry-repo\"] = $rh_registry_repo |\n .components[$i].repositories[$j][\"registry-access-repo\"] = $registry_access_repo' \\\n \"${SNAPSHOT_SPEC_FILE}\" \u003e /tmp/temp \u0026\u0026 mv /tmp/temp \"${SNAPSHOT_SPEC_FILE}\"\n fi\n done\ndone\n" }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=64", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/eb632ad9-f4e0-4ffa-a0fb-4698227e9f9c", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:44:20Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "check-data-keys", "tekton.dev/task": "check-data-keys" }, "name": "managed-gfn6w-check-data-keys", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "45482", "uid": "eb632ad9-f4e0-4ffa-a0fb-4698227e9f9c" }, "spec": { "params": [ { "name": "dataPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/data.json" }, { "name": "schema", "value": "https://github.com/konflux-ci/release-service-catalog.git/raw/development/schema/dataKeys.json" }, { "name": "systems", "value": "[\n {\"systemName\": \"mapping\", \"dynamic\": false}\n]\n" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/check-data-keys/check-data-keys.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:33Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:33Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-check-data-keys-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/check-data-keys/check-data-keys.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:4a349198f7568164ba3f56fe5804cdc4b7ff9d84009b6d33d738f8e4e8537266" } ], "startTime": "2026-04-25T08:44:20Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://32b6ac5911405254b174a6bedc86eed90bbc3102c1e7c4e09b5a2109e8c2183d", "exitCode": 0, "finishedAt": "2026-04-25T08:44:29Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:28Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://4d995de67e7c67cbb1f99b76c206aac90845e0d419d4cb0bbef10a5347af9525", "exitCode": 0, "finishedAt": "2026-04-25T08:44:32Z", "message": "[{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:4a349198f7568164ba3f56fe5804cdc4b7ff9d84009b6d33d738f8e4e8537266\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:31Z" }, "terminationReason": "Completed" }, { "container": "step-check-data-keys", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "check-data-keys", "terminated": { "containerID": "cri-o://e6fd1f450972c0e2dccd61f54888c7a90efea1f2d3dd454ce01cd0f7a3f3ad70", "exitCode": 0, "finishedAt": "2026-04-25T08:44:30Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:30Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task that validates data keys against a schema to ensure that all required keys for a system(s) are present\nand correctly formatted. The system(s) passed into the `systems` parameter become required.\nThe schema validation also applies to all data passed into the `dataPath` parameter,\nmeaning all the data keys must be allowed and formatted correctly.\n\nFor example, if `releaseNotes` is passed as a system and the data file does not have all the required\nreleaseNotes keys, the schema will give validation errors, and the task will fail.\n\nThe validation schema is defined in `schema/dataKeys.json` in this repository.", "params": [ { "description": "Path to the JSON string of the merged data to use", "name": "dataPath", "type": "string" }, { "default": "https://raw.githubusercontent.com/konflux-ci/release-service-catalog/refs/heads/development/schema/dataKeys.json", "description": "URL to the JSON schema file to validate the data against", "name": "schema", "type": "string" }, { "default": "", "description": "The systems to check that all data keys are present for", "name": "systems", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2=/var/workdir/release" ], "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "10m", "memory": "64Mi" } }, "env": [ { "name": "SCHEMA_FILE", "value": "https://github.com/konflux-ci/release-service-catalog.git/raw/development/schema/dataKeys.json" } ], "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "check-data-keys", "script": "#!/usr/bin/env bash\nset -ex\n\nif [ -f \"/mnt/trusted-ca/ca-bundle.crt\" ]; then\n export SSL_CERT_FILE=\"/mnt/trusted-ca/ca-bundle.crt\"\nfi\n\nif [ ! -f \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\" ] ; then\n echo \"No data JSON was provided.\"\n exit 1\nfi\n\nschema=\"${SCHEMA_FILE/\\.git\\///}\"\nif ! curl -sL --fail-with-body \"$schema\" -o /tmp/schema ; then\n echo \"Failed to download schema file: $schema\"\n exit 1\nfi\n\n# We want this to output the json without expansion\n# shellcheck disable=SC2016\njq --argjson systems '[\n {\"systemName\": \"mapping\", \"dynamic\": false}\n]\n' '.systems += $systems' \\\n \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\" \u003e \"/tmp/systems\"\nmv \"/tmp/systems\" \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\"\n\ncheck-jsonschema --output-format=text --schemafile \"/tmp/schema\" \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\"\n" }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=60", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/e5dc7b73-508c-4cd6-8b71-baa8a1237864", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:44:08Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "collect-data", "tekton.dev/task": "collect-data" }, "name": "managed-gfn6w-collect-data", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "45364", "uid": "e5dc7b73-508c-4cd6-8b71-baa8a1237864" }, "spec": { "params": [ { "name": "release", "value": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl" }, { "name": "releasePlan", "value": "default-tenant/tsf-release" }, { "name": "releasePlanAdmission", "value": "default-managed-tenant-c009b/tsf-release" }, { "name": "releaseServiceConfig", "value": "release-service/release-service-config" }, { "name": "snapshot", "value": "default-tenant/tsf-demo-app-20260425-083437-000" }, { "name": "subdirectory", "value": "2e8f5616-b364-4304-9c89-016c508710de" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/collect-data/collect-data.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:19Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:19Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-collect-data-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/collect-data/collect-data.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "data", "type": "string", "value": "2e8f5616-b364-4304-9c89-016c508710de/data.json" }, { "name": "release", "type": "string", "value": "2e8f5616-b364-4304-9c89-016c508710de/release.json" }, { "name": "releasePipelineMetadata", "type": "string", "value": "{\"org\":\"konflux-ci\",\"repo\":\"release-service-catalog\",\"revision\":\"development\",\"pathinrepo\":\"pipelines/managed/push-to-external-registry/push-to-external-registry.yaml\",\"sha\":\"48a31f6910278fccd79a551bac7174fb734dad3b\"}\n" }, { "name": "releasePlan", "type": "string", "value": "2e8f5616-b364-4304-9c89-016c508710de/release_plan.json" }, { "name": "releasePlanAdmission", "type": "string", "value": "2e8f5616-b364-4304-9c89-016c508710de/release_plan_admission.json" }, { "name": "releaseServiceConfig", "type": "string", "value": "2e8f5616-b364-4304-9c89-016c508710de/release_service_config.json" }, { "name": "resultsDir", "type": "string", "value": "2e8f5616-b364-4304-9c89-016c508710de/results" }, { "name": "singleComponentMode", "type": "string", "value": "false" }, { "name": "snapshotBuildId", "type": "string", "value": "tsf-demo-comp-on-push-8flps" }, { "name": "snapshotName", "type": "string", "value": "tsf-demo-app-20260425-083437-000" }, { "name": "snapshotNamespace", "type": "string", "value": "default-tenant" }, { "name": "snapshotSpec", "type": "string", "value": "2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "subdirectory", "type": "string", "value": "2e8f5616-b364-4304-9c89-016c508710de" }, { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2" } ], "startTime": "2026-04-25T08:44:08Z", "steps": [ { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://b263215452e05a53a9703c3ae689a2db6b2ac3cd9a936ad048e8cf882748ba43", "exitCode": 0, "finishedAt": "2026-04-25T08:44:19Z", "message": "[{\"key\":\"data\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/data.json\",\"type\":1},{\"key\":\"release\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release.json\",\"type\":1},{\"key\":\"releasePipelineMetadata\",\"value\":\"{\\\"org\\\":\\\"konflux-ci\\\",\\\"repo\\\":\\\"release-service-catalog\\\",\\\"revision\\\":\\\"development\\\",\\\"pathinrepo\\\":\\\"pipelines/managed/push-to-external-registry/push-to-external-registry.yaml\\\",\\\"sha\\\":\\\"48a31f6910278fccd79a551bac7174fb734dad3b\\\"}\\n\",\"type\":1},{\"key\":\"releasePlan\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_plan.json\",\"type\":1},{\"key\":\"releasePlanAdmission\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_plan_admission.json\",\"type\":1},{\"key\":\"releaseServiceConfig\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_service_config.json\",\"type\":1},{\"key\":\"resultsDir\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/results\",\"type\":1},{\"key\":\"singleComponentMode\",\"value\":\"false\",\"type\":1},{\"key\":\"snapshotBuildId\",\"value\":\"tsf-demo-comp-on-push-8flps\",\"type\":1},{\"key\":\"snapshotName\",\"value\":\"tsf-demo-app-20260425-083437-000\",\"type\":1},{\"key\":\"snapshotNamespace\",\"value\":\"default-tenant\",\"type\":1},{\"key\":\"snapshotSpec\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\",\"type\":1},{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2\",\"type\":1},{\"key\":\"subdirectory\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:18Z" }, "terminationReason": "Completed" }, { "container": "step-collect-data", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-data", "terminated": { "containerID": "cri-o://a57b8eee800e1fa9376531ebb397837237f16dd243b54974b867e5e0d1e8db6e", "exitCode": 0, "finishedAt": "2026-04-25T08:44:17Z", "message": "[{\"key\":\"data\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/data.json\",\"type\":1},{\"key\":\"release\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release.json\",\"type\":1},{\"key\":\"releasePipelineMetadata\",\"value\":\"{\\\"org\\\":\\\"konflux-ci\\\",\\\"repo\\\":\\\"release-service-catalog\\\",\\\"revision\\\":\\\"development\\\",\\\"pathinrepo\\\":\\\"pipelines/managed/push-to-external-registry/push-to-external-registry.yaml\\\",\\\"sha\\\":\\\"48a31f6910278fccd79a551bac7174fb734dad3b\\\"}\\n\",\"type\":1},{\"key\":\"releasePlan\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_plan.json\",\"type\":1},{\"key\":\"releasePlanAdmission\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_plan_admission.json\",\"type\":1},{\"key\":\"releaseServiceConfig\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_service_config.json\",\"type\":1},{\"key\":\"resultsDir\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/results\",\"type\":1},{\"key\":\"singleComponentMode\",\"value\":\"false\",\"type\":1},{\"key\":\"snapshotBuildId\",\"value\":\"tsf-demo-comp-on-push-8flps\",\"type\":1},{\"key\":\"snapshotName\",\"value\":\"tsf-demo-app-20260425-083437-000\",\"type\":1},{\"key\":\"snapshotNamespace\",\"value\":\"default-tenant\",\"type\":1},{\"key\":\"snapshotSpec\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\",\"type\":1},{\"key\":\"subdirectory\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:16Z" }, "terminationReason": "Completed" }, { "container": "step-check-data-key-sources", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "check-data-key-sources", "terminated": { "containerID": "cri-o://2c7f85d87ac8d6a8649277baeb3d062fb03ae5e6b27d20fe9b62939ab54b7e2f", "exitCode": 0, "finishedAt": "2026-04-25T08:44:17Z", "message": "[{\"key\":\"data\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/data.json\",\"type\":1},{\"key\":\"release\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release.json\",\"type\":1},{\"key\":\"releasePipelineMetadata\",\"value\":\"{\\\"org\\\":\\\"konflux-ci\\\",\\\"repo\\\":\\\"release-service-catalog\\\",\\\"revision\\\":\\\"development\\\",\\\"pathinrepo\\\":\\\"pipelines/managed/push-to-external-registry/push-to-external-registry.yaml\\\",\\\"sha\\\":\\\"48a31f6910278fccd79a551bac7174fb734dad3b\\\"}\\n\",\"type\":1},{\"key\":\"releasePlan\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_plan.json\",\"type\":1},{\"key\":\"releasePlanAdmission\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_plan_admission.json\",\"type\":1},{\"key\":\"releaseServiceConfig\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/release_service_config.json\",\"type\":1},{\"key\":\"resultsDir\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/results\",\"type\":1},{\"key\":\"singleComponentMode\",\"value\":\"false\",\"type\":1},{\"key\":\"snapshotBuildId\",\"value\":\"tsf-demo-comp-on-push-8flps\",\"type\":1},{\"key\":\"snapshotName\",\"value\":\"tsf-demo-app-20260425-083437-000\",\"type\":1},{\"key\":\"snapshotNamespace\",\"value\":\"default-tenant\",\"type\":1},{\"key\":\"snapshotSpec\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\",\"type\":1},{\"key\":\"subdirectory\",\"value\":\"2e8f5616-b364-4304-9c89-016c508710de\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:17Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to collect the information added to the data field of the release resources.\n\nThe purpose of this task is to collect all the data and supply it to the other task in the pipeline by creating\na json file called `data.json` in the workspace.\n\nThis task also stores the passed resources as json files in a workspace.\n\nThe parameters to this task are lowercase instead of camelCase because they are passed from the operator, and the\noperator passes them as lowercase.\n\nA task result is returned for each resource with the relative path to the stored JSON for it in the workspace.\n\nFinally, the task checks that the keys from the correct resource (a key that should come from the\nReleasePlanAdmission should not be present in the Release data section).", "params": [ { "description": "The namespaced name of the Release", "name": "release", "type": "string" }, { "description": "The namespaced name of the ReleasePlan", "name": "releasePlan", "type": "string" }, { "description": "The namespaced name of the ReleasePlanAdmission", "name": "releasePlanAdmission", "type": "string" }, { "description": "The namespaced name of the ReleaseServiceConfig", "name": "releaseServiceConfig", "type": "string" }, { "description": "The namespaced name of the Snapshot", "name": "snapshot", "type": "string" }, { "default": "", "description": "Subdirectory inside the workspace to be used", "name": "subdirectory", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "The relative path in the workspace to the stored release json", "name": "release", "type": "string" }, { "description": "The relative path in the workspace to the stored releasePlan json", "name": "releasePlan", "type": "string" }, { "description": "The relative path in the workspace to the stored releasePlanAdmission json", "name": "releasePlanAdmission", "type": "string" }, { "description": "The relative path in the workspace to the stored releaseServiceConfig json", "name": "releaseServiceConfig", "type": "string" }, { "description": "The relative path in the workspace to the stored snapshotSpec json", "name": "snapshotSpec", "type": "string" }, { "description": "The relative path in the workspace to the stored data json", "name": "data", "type": "string" }, { "description": "The relative path in the workspace to the results directory", "name": "resultsDir", "type": "string" }, { "description": "single component mode", "name": "singleComponentMode", "type": "string" }, { "description": "name of Snapshot resource", "name": "snapshotName", "type": "string" }, { "description": "namespace where Snapshot is located", "name": "snapshotNamespace", "type": "string" }, { "description": "Build Id where Snapshot originated", "name": "snapshotBuildId", "type": "string" }, { "description": "json object containing git resolver metadata about the running release pipeline", "name": "releasePipelineMetadata", "type": "string" }, { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" }, { "description": "Subdirectory inside the workspace to be used", "name": "subdirectory", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "50m", "memory": "64Mi" } }, "env": [ { "name": "RELEASE", "value": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl" }, { "name": "RELEASE_PLAN", "value": "default-tenant/tsf-release" }, { "name": "RELEASE_PLAN_ADMISSION", "value": "default-managed-tenant-c009b/tsf-release" }, { "name": "RELEASE_SERVICE_CONFIG", "value": "release-service/release-service-config" }, { "name": "SNAPSHOT", "value": "default-tenant/tsf-demo-app-20260425-083437-000" } ], "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-data", "script": "#!/usr/bin/env bash\nset -eo pipefail\n\nif [ -f \"/mnt/trusted-ca/ca-bundle.crt\" ]; then\n export SSL_CERT_FILE=\"/mnt/trusted-ca/ca-bundle.crt\"\nfi\n\nset -x\necho -n \"2e8f5616-b364-4304-9c89-016c508710de\" \u003e \"/tekton/results/subdirectory\"\n\nRESULTS_DIR_PATH=\"results\"\nif [ -n \"2e8f5616-b364-4304-9c89-016c508710de\" ]; then\n mkdir -p \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de\"\n RESULTS_DIR_PATH=\"2e8f5616-b364-4304-9c89-016c508710de/results\"\nfi\n\nmkdir -p \"/var/workdir/release/$RESULTS_DIR_PATH\"\necho -n \"$RESULTS_DIR_PATH\" \u003e \"/tekton/results/resultsDir\"\n\nRELEASE_PATH=\"2e8f5616-b364-4304-9c89-016c508710de/release.json\"\necho -n \"$RELEASE_PATH\" \u003e \"/tekton/results/release\"\nget-resource \"release\" \"${RELEASE}\" | tee \"/var/workdir/release/$RELEASE_PATH\"\n\nRELEASEPLAN_PATH=\"2e8f5616-b364-4304-9c89-016c508710de/release_plan.json\"\necho -n \"$RELEASEPLAN_PATH\" \u003e \"/tekton/results/releasePlan\"\nget-resource \"releaseplan\" \"${RELEASE_PLAN}\" | tee \"/var/workdir/release/$RELEASEPLAN_PATH\"\n\nRELEASEPLANADMISSION_PATH=\"2e8f5616-b364-4304-9c89-016c508710de/release_plan_admission.json\"\necho -n \"$RELEASEPLANADMISSION_PATH\" \u003e \"/tekton/results/releasePlanAdmission\"\nget-resource \"releaseplanadmission\" \"${RELEASE_PLAN_ADMISSION}\" \\\n | tee \"/var/workdir/release/$RELEASEPLANADMISSION_PATH\"\n\nRELEASESERVICECONFIG_PATH=\"2e8f5616-b364-4304-9c89-016c508710de/release_service_config.json\"\necho -n \"$RELEASESERVICECONFIG_PATH\" \u003e \"/tekton/results/releaseServiceConfig\"\nget-resource \"releaseserviceconfig\" \"${RELEASE_SERVICE_CONFIG}\" \\\n | tee \"/var/workdir/release/$RELEASESERVICECONFIG_PATH\"\n\necho -e \"\\nFetching Snapshot Spec\"\nSNAPSHOTSPEC_PATH=\"2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\"\necho -n \"$SNAPSHOTSPEC_PATH\" \u003e \"/tekton/results/snapshotSpec\"\nget-resource \"snapshot\" \"${SNAPSHOT}\" \"{.spec}\" \\\n | jq '(if .componentGroup == null then .componentGroup = .application else . end) | del(.application)' \\\n | tee \"/var/workdir/release/$SNAPSHOTSPEC_PATH\"\nlabels=$(get-resource \"snapshot\" \"${SNAPSHOT}\" \"{.metadata.labels}\")\nBUILD_ID=$(jq -r '.\"appstudio.openshift.io/build-pipelinerun\" // \"\"' \u003c\u003c\u003c \"${labels}\")\necho -n \"${BUILD_ID}\" | tee \"/tekton/results/snapshotBuildId\"\n\necho -e \"\\nGenerating collectors data\"\ncollectors_status=$(get-resource \"release\" \"${RELEASE}\" \"{.status.collectors}\")\necho \"***collectors status\"\necho \"${collectors_status}\"\necho \"***\"\n\ncollectors_result=$(jq -c '\n def deepmerge(a; b):\n reduce b[] as $item (a;\n reduce ($item | keys_unsorted[]) as $key (.;\n $item[$key] as $val | ($val | type) as $type | .[$key] = if ($type == \"object\") then\n deepmerge({}; [if .[$key] == null then {} else .[$key] end, $val])\n elif ($type == \"array\") then\n (.[$key] + $val | unique)\n else\n $val\n end)\n );\n\n # Ensure we safely handle missing collectors\n (.? // {}) as $collectors |\n\n # Flatten and combine the managed and tenant sections\n [($collectors.managed? // {} | to_entries | map(.value)) +\n ($collectors.tenant? // {} | to_entries | map(.value))] |\n flatten |\n deepmerge({}; .)\n' \u003c\u003c\u003c \"${collectors_status}\")\necho \"***collectors\"\njq \u003c\u003c\u003c \"$collectors_result\"\necho \"***\"\n\necho -e \"\\nFetching merged data json\"\nrelease_result=$(get-resource \"release\" \"${RELEASE}\" \"{.spec.data}\")\n\nrelease_plan_result=$(get-resource \"releaseplan\" \"${RELEASE_PLAN}\" \"{.spec.data}\")\n\nrelease_plan_admission_result=$(get-resource \"releaseplanadmission\" \"${RELEASE_PLAN_ADMISSION}\" \\\n \"{.spec.data}\")\n\n# Merge collectors and Release keys. Release has higher priority\nmerged_output=$(merge-json \"$collectors_result\" \"$release_result\")\n\n# Merge now with ReleasePlan keys. ReleasePlan has higher priority\nmerged_output=$(merge-json \"$merged_output\" \"$release_plan_result\")\n\n# Finally merge with ReleasePlanAdmission keys. ReleasePlanAdmission has higher priority\nmerged_output=$(merge-json \"$merged_output\" \"$release_plan_admission_result\")\n\nDATA_PATH=\"2e8f5616-b364-4304-9c89-016c508710de/data.json\"\necho -n \"$DATA_PATH\" \u003e \"/tekton/results/data\"\necho \"$merged_output\" | tee \"/var/workdir/release/$DATA_PATH\"\n\n# get pipeline ref info\npipelineref=$(jq -c '.spec.pipeline.pipelineRef' \\\n \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/release_plan_admission.json\")\nresolver=$(jq -r '.resolver // \"\"' \u003c\u003c\u003c \"${pipelineref}\")\nif [ \"${resolver}\" == \"git\" ] ; then\n url=$(jq -r '.params[] | select(.name==\"url\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n revision=$(jq -r '.params[] | select(.name==\"revision\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n pathinrepo=$(jq -r '.params[] | select(.name==\"pathInRepo\") | .value' \u003c\u003c\u003c \"${pipelineref}\")\n orgrepo=\"${url#*/*/*/}\"\n org=$(echo \"${orgrepo}\" | cut -f1 -d/)\n repo=$(echo \"${orgrepo}\" | cut -f2 -d/ | cut -d. -f1)\n\n sha=$(curl -s \"https://api.github.com/repos/${org}/${repo}/commits/${revision}\" | jq -r '.sha // \"\"')\n\nfi\n\norg=\"${org:-unknown}\"\nrepo=\"${repo:-unknown}\"\nrevision=\"${revision:-unknown}\"\npathinrepo=\"${pathinrepo:-unknown}\"\nsha=\"${sha:-unknown}\"\n\necho \"\"\necho \"Release Pipeline Ref Info:\"\necho \"--------------------------\"\n\njson=$(jq -n -c \\\n --arg org \"${org}\" \\\n --arg repo \"${repo}\" \\\n --arg revision \"${revision}\" \\\n --arg pathinrepo \"${pathinrepo}\" \\\n --arg sha \"${sha}\" \\\n '$ARGS.named')\n\necho \"${json}\" \u003e \"/tekton/results/releasePipelineMetadata\"\n# pretty print for log message\njq . \u003c\u003c\u003c \"$json\"\n\nSINGLE_COMPONENT_MODE=$(jq -r '.singleComponentMode // \"false\"' \"/var/workdir/release/$DATA_PATH\")\nSNAPSHOT_NAME=$(echo \"${SNAPSHOT}\" | cut -f2 -d/)\nSNAPSHOT_NAMESPACE=$(echo \"${SNAPSHOT}\" | cut -f1 -d/)\n\necho -n \"${SINGLE_COMPONENT_MODE}\" | tee \"/tekton/results/singleComponentMode\"\necho -n \"${SNAPSHOT_NAME}\" | tee \"/tekton/results/snapshotName\"\necho -n \"${SNAPSHOT_NAMESPACE}\" | tee \"/tekton/results/snapshotNamespace\"\n" }, { "computeResources": { "limits": { "memory": "32Mi" }, "requests": { "cpu": "10m", "memory": "32Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "check-data-key-sources", "script": "#!/usr/bin/env bash\nset -ex\n\nDISALLOWED_KEYS_JSON='{\n \"Release\": [\n \"releaseNotes.product_id\",\n \"releaseNotes.product_name\",\n \"releaseNotes.product_version\",\n \"releaseNotes.product_stream\",\n \"releaseNotes.cpe\",\n \"releaseNotes.allow_custom_live_id\"\n ],\n \"ReleasePlan\": [\n \"releaseNotes.product_id\",\n \"releaseNotes.product_name\",\n \"releaseNotes.product_version\",\n \"releaseNotes.product_stream\",\n \"releaseNotes.cpe\",\n \"releaseNotes.allow_custom_live_id\"\n ],\n \"ReleasePlanAdmission\": [\n ]\n}'\n\nRC=0\n\ncheck_source () { # Expected arguments are [CRD from DISALLOWED_KEYS_JSON, file]\n for KEY in $(jq -r \".$1[]\" \u003c\u003c\u003c \"$DISALLOWED_KEYS_JSON\") ; do\n if [[ $(jq \".spec.data.$KEY\" \"$2\") != \"null\" ]] ; then\n echo \"Found disallowed key: $KEY in resource $1\"\n RC=1\n fi\n done\n}\n\ncheck_source \"Release\" \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/release.json\"\ncheck_source \"ReleasePlan\" \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/release_plan.json\"\ncheck_source \"ReleasePlanAdmission\" \\\n \"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/release_plan_admission.json\"\n\nexit $RC\n" }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=61", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/b34a9cf7-fdab-4f42-87cd-5873e6491db4", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:44:20Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "collect-registry-token-secret", "tekton.dev/task": "collect-registry-token-secret" }, "name": "managed-gfn6w-collect-registry-token-secret", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "45535", "uid": "b34a9cf7-fdab-4f42-87cd-5873e6491db4" }, "spec": { "params": [ { "name": "dataPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/data.json" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/collect-registry-token-secret/collect-registry-token-secret.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:28Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:28Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-collect-registry-token-secret-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/collect-registry-token-secret/collect-registry-token-secret.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "registrySecret", "type": "string", "value": "" } ], "startTime": "2026-04-25T08:44:21Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://917c460f6f369a2209398c9b895c6fda6cf872e026b1046cae07c944be3235d5", "exitCode": 0, "finishedAt": "2026-04-25T08:44:28Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:27Z" }, "terminationReason": "Completed" }, { "container": "step-collect-secret", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-secret", "terminated": { "containerID": "cri-o://07ec424c4b6fa98b1b4950a79aacad920c6b16b3d8dfff4f8bc3b9a985254b03", "exitCode": 0, "finishedAt": "2026-04-25T08:44:28Z", "message": "[{\"key\":\"registrySecret\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:28Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task that collects secret name containing registry token from the data file", "params": [ { "description": "Path to the merged data JSON file generated by collect-data task", "name": "dataPath", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "The kube secret to use quay.io API, containing one key: token", "name": "registrySecret", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2=/var/workdir/release" ], "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "50m", "memory": "128Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-secret", "script": "#!/usr/bin/env bash\nset -eux\n\nDATA_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\"\nif [ ! -f \"${DATA_FILE}\" ] ; then\n echo \"No valid data file was provided.\"\n exit 1\nfi\n\n# Check if there is anything to make public - either in defaults, or a component\nSECRET_REQUIRED=false\nif [ \"$(jq -r '.mapping.defaults.public // false' \"$DATA_FILE\")\" = true ] ; then\n SECRET_REQUIRED=true\nelse\n NUM_COMPONENTS=$(jq '.mapping.components | length' \"$DATA_FILE\")\n for ((i=0; i \u003c NUM_COMPONENTS; i++)); do\n COMPONENT=$(jq -c \".mapping.components[$i]\" \"$DATA_FILE\")\n if [ \"$(jq -r '.public // false' \u003c\u003c\u003c \"$COMPONENT\")\" = true ] ; then\n SECRET_REQUIRED=true\n break\n fi\n done\nfi\n\nif [ \"$SECRET_REQUIRED\" = false ]; then\n echo No repos to make public, so no secret is required. Exiting...\n echo -n \"\" \u003e \"/tekton/results/registrySecret\"\n exit 0\nfi\n\nif [ \"$(jq '.mapping | has(\"registrySecret\")' \"$DATA_FILE\")\" == false ] ; then\n echo \"Registry secret missing in data JSON file\"\n exit 1\nfi\n\njq -j '.mapping.registrySecret' \"$DATA_FILE\" | tee \"/tekton/results/registrySecret\"\n" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=65", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/a915d01b-c259-488e-bd44-ca3517dbad6b", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:44:20Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "collect-signing-params", "tekton.dev/task": "collect-signing-params" }, "name": "managed-gfn6w-collect-signing-params", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "45486", "uid": "a915d01b-c259-488e-bd44-ca3517dbad6b" }, "spec": { "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/collect-signing-params/collect-signing-params.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:33Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:33Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-collect-signing-params-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/collect-signing-params/collect-signing-params.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "buildIdentityRegexp", "type": "string", "value": "^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$" }, { "name": "defaultOIDCIssuer", "type": "string", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "enableKeylessSigning", "type": "string", "value": "true" }, { "name": "fulcioExternalUrl", "type": "string", "value": "https://fulcio-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com" }, { "name": "fulcioUrl", "type": "string", "value": "http://fulcio-server.tsf-tas.svc.cluster.local" }, { "name": "rekorExternalUrl", "type": "string", "value": "https://rekor-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com" }, { "name": "rekorUrl", "type": "string", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "tektonChainsIdentity", "type": "string", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "tufExternalUrl", "type": "string", "value": "https://tuf-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com" }, { "name": "tufUrl", "type": "string", "value": "http://tuf.tsf-tas.svc.cluster.local" } ], "startTime": "2026-04-25T08:44:20Z", "steps": [ { "container": "step-collect-signing-params", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-signing-params", "terminated": { "containerID": "cri-o://59e5ff3c059492a74d388cae6fc1262a8b926c606642cdd0726fcdbc3e3908f7", "exitCode": 0, "finishedAt": "2026-04-25T08:44:32Z", "message": "[{\"key\":\"buildIdentityRegexp\",\"value\":\"^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$\",\"type\":1},{\"key\":\"defaultOIDCIssuer\",\"value\":\"https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j\",\"type\":1},{\"key\":\"enableKeylessSigning\",\"value\":\"true\",\"type\":1},{\"key\":\"fulcioExternalUrl\",\"value\":\"https://fulcio-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\",\"type\":1},{\"key\":\"fulcioUrl\",\"value\":\"http://fulcio-server.tsf-tas.svc.cluster.local\",\"type\":1},{\"key\":\"rekorExternalUrl\",\"value\":\"https://rekor-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\",\"type\":1},{\"key\":\"rekorUrl\",\"value\":\"http://rekor-server.tsf-tas.svc.cluster.local\",\"type\":1},{\"key\":\"tektonChainsIdentity\",\"value\":\"https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller\",\"type\":1},{\"key\":\"tufExternalUrl\",\"value\":\"https://tuf-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\",\"type\":1},{\"key\":\"tufUrl\",\"value\":\"http://tuf.tsf-tas.svc.cluster.local\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:25Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to collect Konflux configuration parameters related to\nkeyless signing using cosign. The task attempts to read the \"cluster-config\"\nConfigMap in the \"konflux-info\" namespace to extract signing parameters.\n\nIn case the ConfigMap is not found, the task will output empty strings for all parameters,\nallowing the pipeline to continue without signing parameters.", "params": [ { "default": "cluster-config", "description": "The name of the ConfigMap to read signing parameters from", "name": "configMapName", "type": "string" }, { "default": "konflux-info", "description": "The namespace where the ConfigMap is located", "name": "configMapNamespace", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "A flag indicating whether keyless signing should be enabled, based on the presence of signing parameters.\n", "name": "enableKeylessSigning", "type": "string" }, { "description": "A default OIDC issuer URL to be used for signing.\n", "name": "defaultOIDCIssuer", "type": "string" }, { "description": "The external URL of the Rekor transparency log.\n", "name": "rekorExternalUrl", "type": "string" }, { "description": "The internal URL of the Rekor transparency log.\n", "name": "rekorUrl", "type": "string" }, { "description": "The external URL of the Fulcio certificate authority.\n", "name": "fulcioExternalUrl", "type": "string" }, { "description": "The URL of the Fulcio certificate authority.\n", "name": "fulcioUrl", "type": "string" }, { "description": "The external URL of the TUF repository.\n", "name": "tufExternalUrl", "type": "string" }, { "description": "The URL of the TUF repository.\n", "name": "tufUrl", "type": "string" }, { "description": "A regular expression to extract build identity from the OIDC token claims, if applicable.\n", "name": "buildIdentityRegexp", "type": "string" }, { "description": "The identity used in the certificate, generated by fulcio.\n", "name": "tektonChainsIdentity", "type": "string" } ], "stepTemplate": { "computeResources": {}, "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "50m", "memory": "128Mi" }, "requests": { "cpu": "50m", "memory": "128Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-signing-params", "script": "#!/usr/bin/env bash\necho \"Getting cluster-config ConfigMap\"\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\n\n# Attempt to fetch the ConfigMap with retries, capture exit code\nif retry 3 kubectl get configmap \"cluster-config\" -n \"konflux-info\" -o json \u003e \\\n\"$KFLX_CONFIG_PATH\" 2\u003e/dev/null; then\n echo \"ConfigMap found, extracting signing parameters\"\n\n # Extract signing parameters from ConfigMap data, defaulting to empty string if not found\n enableKeylessSigning=$(jq -r '.data.enableKeylessSigning // \"\"' \"$KFLX_CONFIG_PATH\")\n defaultOIDCIssuer=$(jq -r '.data.defaultOIDCIssuer // \"\"' \"$KFLX_CONFIG_PATH\")\n rekorExternalUrl=$(jq -r '.data.rekorExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n rekorInternalUrl=$(jq -r '.data.rekorInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fulcioExternalUrl=$(jq -r '.data.fulcioExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fulcioInternalUrl=$(jq -r '.data.fulcioInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n tufExternalUrl=$(jq -r '.data.tufExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n tufInternalUrl=$(jq -r '.data.tufInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n buildIdentityRegexp=$(jq -r '.data.buildIdentityRegexp // \"\"' \"$KFLX_CONFIG_PATH\")\n tektonChainsIdentity=$(jq -r '.data.tektonChainsIdentity // \"\"' \"$KFLX_CONFIG_PATH\")\nelse\n echo \"ConfigMap not found, using default empty values\"\n\n # Set all parameters to empty strings when ConfigMap doesn't exist\n enableKeylessSigning=\"false\"\n defaultOIDCIssuer=\"\"\n rekorExternalUrl=\"\"\n rekorInternalUrl=\"\"\n fulcioExternalUrl=\"\"\n fulcioInternalUrl=\"\"\n tufExternalUrl=\"\"\n tufInternalUrl=\"\"\n buildIdentityRegexp=\"\"\n tektonChainsIdentity=\"\"\nfi\n\n# Write the values to the respective result paths and print them\necho -n \"$enableKeylessSigning\" | tee \"/tekton/results/enableKeylessSigning\"\necho -n \"$defaultOIDCIssuer\" | tee \"/tekton/results/defaultOIDCIssuer\"\necho -n \"$rekorExternalUrl\" | tee \"/tekton/results/rekorExternalUrl\"\nprefer_internal_or_external() {\n local internal=\"$1\"\n local external=\"$2\"\n local result_path=\"$3\"\n\n if [ -n \"$internal\" ]; then\n echo -n \"$internal\" | tee \"$result_path\"\n else\n echo -n \"$external\" | tee \"$result_path\"\n fi\n}\n\nprefer_internal_or_external \"$rekorInternalUrl\" \"$rekorExternalUrl\" \"/tekton/results/rekorUrl\"\necho -n \"$fulcioExternalUrl\" | tee \"/tekton/results/fulcioExternalUrl\"\nprefer_internal_or_external \"$fulcioInternalUrl\" \"$fulcioExternalUrl\" \"/tekton/results/fulcioUrl\"\necho -n \"$tufExternalUrl\" | tee \"/tekton/results/tufExternalUrl\"\nprefer_internal_or_external \"$tufInternalUrl\" \"$tufExternalUrl\" \"/tekton/results/tufUrl\"\necho -n \"$buildIdentityRegexp\" | tee \"/tekton/results/buildIdentityRegexp\"\necho -n \"$tektonChainsIdentity\" | tee \"/tekton/results/tektonChainsIdentity\"\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=62", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/e373e2ba-f96d-43dd-a176-674fa4f79c8b", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:44:20Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "collect-task-params", "tekton.dev/task": "collect-task-params" }, "name": "managed-gfn6w-collect-task-params", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "45449", "uid": "e373e2ba-f96d-43dd-a176-674fa4f79c8b" }, "spec": { "params": [ { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "dataPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/data.json" }, { "name": "keysToExtract", "value": "[\n {\"resultIndex\": 0, \"key\": \".conforma.workerCount\", \"default\": \"4\"},\n {\"resultIndex\": 1, \"key\": \".sign.cosignSecretName\", \"default\": \"secret-not-present\"}\n]\n" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2" }, { "name": "trustedArtifactsDebug", "value": "" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/collect-task-params/collect-task-params.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:28Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:28Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-collect-task-params-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/collect-task-params/collect-task-params.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "extractedValues", "type": "array", "value": [ "4", "secret-not-present" ] } ], "startTime": "2026-04-25T08:44:20Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://63638be6037b34642ffb1478bdc9aef1e4c7456e1049c41096a5c9d858ccafe8", "exitCode": 0, "finishedAt": "2026-04-25T08:44:27Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:26Z" }, "terminationReason": "Completed" }, { "container": "step-collect-task-params", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-task-params", "terminated": { "containerID": "cri-o://3ed764b1c63118f622be3f6963c0ec5c3bb50128741e1f8ae5521bf8eb26a8e4", "exitCode": 0, "finishedAt": "2026-04-25T08:44:28Z", "message": "[{\"key\":\"extractedValues\",\"value\":\"[\\n \\\"4\\\",\\n \\\"secret-not-present\\\"\\n]\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:28Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task that extracts values from the data JSON file based on specified keys and exposes them as task results.\nThe task takes an array of resultIndex/key pairs and extracts the corresponding values from the dataPath JSON file.\nEach extracted value is placed at the specified resultIndex in the extractedValues array for use by downstream\ntasks. Optional default values can be provided for keys that may not exist in the data file. If no default is\nprovided and the key does not exist, the task will fail.", "params": [ { "description": "Path to the JSON string of the merged data containing the values to extract", "name": "dataPath", "type": "string" }, { "description": "JSON array of objects with \"resultIndex\", \"key\", and optional \"default\" fields. Each object specifies the array\nindex where the extracted value should be placed, the JSON path key to extract from the data file, and an\noptional default value to use if the key is not found. Example: [{\"resultIndex\": 1,\n\"key\": \".releaseNotes.summary\"}, {\"resultIndex\": 0, \"key\": \".foo\", \"default\": \"fallback_value\"}]\n", "name": "keysToExtract", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "Array of extracted values. Each value is placed at the resultIndex specified in the keysToExtract parameter.\nValues can be accessed by their specified index in downstream tasks.\n", "name": "extractedValues", "type": "array" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2=/var/workdir/release" ], "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "50m", "memory": "128Mi" } }, "env": [ { "name": "KEYS_JSON", "value": "[\n {\"resultIndex\": 0, \"key\": \".conforma.workerCount\", \"default\": \"4\"},\n {\"resultIndex\": 1, \"key\": \".sign.cosignSecretName\", \"default\": \"secret-not-present\"}\n]\n" } ], "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-task-params", "script": "#!/usr/bin/env bash\nset -x\n\nDATA_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\"\nif [ ! -f \"${DATA_FILE}\" ] ; then\n echo \"No valid data file was provided.\"\n exit 1\nfi\n\n# Validate KEYS_JSON format\nif ! jq -e 'type == \"array\"' \u003c\u003c\u003c \"$KEYS_JSON\" \u003e /dev/null; then\n echo \"keysToExtract must be a valid JSON array\"\n echo \"Received value: $KEYS_JSON\"\n exit 1\nfi\n\n# Get the number of keys to extract\nKEY_COUNT=$(jq 'length' \u003c\u003c\u003c \"$KEYS_JSON\")\nif [ \"$KEY_COUNT\" -eq 0 ]; then\n echo \"keysToExtract array is empty\"\n exit 1\nfi\n\n# Initialize result array with empty strings since it may not be populated in order based on\n# keysToExtract resultIndex input\nRESULT_ARRAY=\"[]\"\nfor i in $(seq 0 $((KEY_COUNT - 1))); do\n RESULT_ARRAY=$(jq '. += [\"\"]' \u003c\u003c\u003c \"$RESULT_ARRAY\")\ndone\n\nfor i in $(seq 0 $((KEY_COUNT - 1))); do\n RESULT_INDEX=$(jq -r \".[$i].resultIndex\" \u003c\u003c\u003c \"$KEYS_JSON\")\n KEY=$(jq -r \".[$i].key\" \u003c\u003c\u003c \"$KEYS_JSON\")\n DEFAULT_VALUE=$(jq -r \".[$i].default // null\" \u003c\u003c\u003c \"$KEYS_JSON\")\n\n if [ \"$RESULT_INDEX\" = \"null\" ] || [ \"$KEY\" = \"null\" ]; then\n echo \"Invalid key extraction specification at index $i: missing resultIndex or key\"\n exit 1\n fi\n\n # Check if resultIndex is a valid integer\n if ! [[ \"$RESULT_INDEX\" =~ ^[0-9]+$ ]]; then\n echo \"Error: resultIndex at position $i must be a non-negative integer, got: $RESULT_INDEX\"\n exit 1\n fi\n\n # Check if resultIndex is within valid bounds\n if [ \"$RESULT_INDEX\" -ge \"$KEY_COUNT\" ]; then\n echo \"Error: resultIndex $RESULT_INDEX at position $i is out of bounds.\"\n echo \"Valid range is 0 to $((KEY_COUNT - 1))\"\n exit 1\n fi\n\n # Extract the value from the data file using the specified key\n TRANSFORMED_KEY=$(echo \"$KEY\" | sed -E 's/\\.([^\\.\"\\[]+|\"[^\"]+\")/.\"\\1\"/g')\n VALUE=$(jq -r \"$TRANSFORMED_KEY\" \"$DATA_FILE\" 2\u003e/dev/null)\n\n # Check if the key exists in the data file\n if [ \"$VALUE\" = \"null\" ]; then\n if [ \"$DEFAULT_VALUE\" != \"null\" ]; then\n echo \"Key $KEY not found in data file, using default value: $DEFAULT_VALUE\"\n VALUE=\"$DEFAULT_VALUE\"\n else\n echo \"Error: Key $KEY not found in data file, and no default value for it was passed\"\n exit 1\n fi\n fi\n\n # Update the array at the specified resultIndex\n RESULT_ARRAY=$(jq --argjson idx \"$RESULT_INDEX\" --arg value \"$VALUE\" '.[$idx] = $value' \u003c\u003c\u003c \"$RESULT_ARRAY\")\ndone\n\n# Write the array result\njq \u003c\u003c\u003c \"$RESULT_ARRAY\" | tee \"/tekton/results/extractedValues\"\n" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=69", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/c9022b1b-a209-4134-950e-4d82cdac9fd1", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:45:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "collect-tpa-params", "tekton.dev/task": "collect-tpa-params" }, "name": "managed-gfn6w-collect-tpa-params", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "46226", "uid": "c9022b1b-a209-4134-950e-4d82cdac9fd1" }, "spec": { "params": [ { "name": "dataPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/data.json" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" }, { "name": "failOnMissing", "value": "false" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/collect-tpa-params/collect-tpa-params.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:45:14Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:45:14Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-collect-tpa-params-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/collect-tpa-params/collect-tpa-params.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "atlasApiUrl", "type": "string", "value": "https://server-tsf-tpa.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com" }, { "name": "retryAWSSecretName", "type": "string", "value": "secret-not-present" }, { "name": "retryS3Bucket", "type": "string", "value": "" }, { "name": "secretName", "type": "string", "value": "release-sso-secret" }, { "name": "ssoTokenUrl", "type": "string", "value": "https://tsf-sso.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/realms/tsf-iam/protocol/openid-connect/token" } ], "startTime": "2026-04-25T08:45:06Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://df01aa6e9b7ed7d98268174acc25cf8c224221374908cf9c177577ce8a175990", "exitCode": 0, "finishedAt": "2026-04-25T08:45:12Z", "reason": "Completed", "startedAt": "2026-04-25T08:45:12Z" }, "terminationReason": "Completed" }, { "container": "step-collect-tpa-params", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-tpa-params", "terminated": { "containerID": "cri-o://ef1bb35137d201a6f270a803d8e026620f85eea6201bddd945f47efdc6c6ac2f", "exitCode": 0, "finishedAt": "2026-04-25T08:45:13Z", "message": "[{\"key\":\"atlasApiUrl\",\"value\":\"https://server-tsf-tpa.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\",\"type\":1},{\"key\":\"retryAWSSecretName\",\"value\":\"secret-not-present\",\"type\":1},{\"key\":\"retryS3Bucket\",\"value\":\"\",\"type\":1},{\"key\":\"secretName\",\"value\":\"release-sso-secret\",\"type\":1},{\"key\":\"ssoTokenUrl\",\"value\":\"https://tsf-sso.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/realms/tsf-iam/protocol/openid-connect/token\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:13Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task that collects the TPA server option from the data file.\nIt can either parse the cluster configuration stored in konflux-info\nnamespace or parse a dataPath JSON file for values.\n\nIf the desired configmap is present in konflux-info, it will be used\nas a preferred option.\n\nOtherwise it outputs values based on the value of the \"atlas.server\" or\n\"tpa.servers\" field (\"stage\" or \"production\"), the output values are used\nto push SBOMs to TPA. Also outputs results used to push SBOMs to an S3\nbucket.\n\nIf the configmap in konflux-info cannot be parsed and no TPA fields\nare present in the data file, the task fails. If this is undesired,\nthe task can be configured to return empty results instead by setting\nthe parameter 'failOnMissing' to 'false'.", "params": [ { "default": "", "description": "Path to the JSON string of the merged data containing the TPA config\n", "name": "dataPath", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "konflux-info", "description": "The namespace where the ConfigMap is located", "name": "configMapNamespace", "type": "string" }, { "default": "cluster-config", "description": "The name of the ConfigMap to read TPA parameters from", "name": "configMapName", "type": "string" }, { "default": "true", "description": "Specify if this task should fail on missing parameters", "name": "failOnMissing", "type": "string" } ], "results": [ { "description": "URL of the TPA API.\n", "name": "atlasApiUrl", "type": "string" }, { "description": "URL of the SSO token issuer.\n", "name": "ssoTokenUrl", "type": "string" }, { "description": "The kubernetes secret to use to authenticate to TPA.\n", "name": "secretName", "type": "string" }, { "description": "The kubernetes secret to use to authenticate to the S3 retry mechanism bucket.\n", "name": "retryAWSSecretName", "type": "string" }, { "description": "Name of the S3 retry mechanism bucket.\n", "name": "retryS3Bucket", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2=/var/workdir/release" ], "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "50m", "memory": "128Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "collect-tpa-params", "script": "#!/usr/bin/env bash\nset -x\n\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\n\necho 'Checking for configuration...'\nif retry 3 kubectl get configmap \"cluster-config\" -n \"konflux-info\" -o json \u003e \\\n \"$KFLX_CONFIG_PATH\"; then\n atlasApiURL=$(jq -r '.data.trustifyServerExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n ssoTokenBaseURL=$(jq -r '.data.trustifyOIDCIssuerUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -n \"$atlasApiURL\" ] \u0026\u0026 [ -n \"$ssoTokenBaseURL\" ]; then\n echo 'Detected cluster-config, gathering information...'\n ssoTokenFullURL=\"${ssoTokenBaseURL}/protocol/openid-connect/token\"\n echo -n \"$atlasApiURL\" \u003e \"/tekton/results/atlasApiUrl\"\n echo -n \"$ssoTokenFullURL\" \u003e \"/tekton/results/ssoTokenUrl\"\n echo -n 'release-sso-secret' \u003e \"/tekton/results/secretName\"\n # TSF doesn't use AWS S3, but empty secret names are invalid in K8s\n echo -n 'secret-not-present' \u003e \"/tekton/results/retryAWSSecretName\"\n echo -n '' \u003e \"/tekton/results/retryS3Bucket\"\n echo 'Gathered info from cluster-config, shutting down script.'\n exit 0\n fi\nfi\n\necho 'Gathering data from data file...'\n\nDATA_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\"\nif [ ! -f \"${DATA_FILE}\" ] ; then\n echo \"ERROR: No valid data file was provided.\"\n exit 1\nfi\natlasServer=$(jq -r '(.atlas // .tpa).server' \"$DATA_FILE\")\nif [ \"$atlasServer\" = \"stage\" ]; then\n atlasApiUrl=\"https://atlas.release.stage.devshift.net\"\n ssoTokenUrl=\"https://auth.stage.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token\"\n secretName=$(jq -r \\\n '(.atlas // .tpa).\"atlas-sso-secret-name\" // \"atlas-staging-sso-secret\"' \"$DATA_FILE\")\n retryAWSSecretName=$(jq -r \\\n '(.atlas // .tpa).\"atlas-retry-aws-secret-name\" // \"atlas-retry-s3-staging-secret\"' \"$DATA_FILE\")\n retryS3Bucket=\"mpp-e1-preprod-sbom-29093454-2ea7-4fd0-b4cf-dc69a7529ee0\"\nelif [ \"$atlasServer\" = \"production\" ]; then\n atlasApiUrl=\"https://atlas.release.devshift.net\"\n ssoTokenUrl=\"https://auth.redhat.com/auth/realms/EmployeeIDP/protocol/openid-connect/token\"\n secretName=$(jq -r '(.atlas // .tpa).\"atlas-sso-secret-name\" // \"atlas-prod-sso-secret\"' \"$DATA_FILE\")\n retryAWSSecretName=$(jq -r \\\n '(.atlas // .tpa).\"atlas-retry-aws-secret-name\" // \"atlas-retry-s3-production-secret\"' \"$DATA_FILE\")\n retryS3Bucket=\"mpp-e1-prod-sbom-e02138d3-5c5c-4d90-a38f-6c54f658604d\"\nelif [ \"false\" == 'true' ]; then\n if [ \"$atlasServer\" = \"null\" ]; then\n echo \"ERROR: .(tpa/atlas).server value is missing from the data file. This field is mandatory.\"\n echo \"Consult with your release engineering contact to ask why you are missing this value\"\n exit 1\n else\n echo \"ERROR: Unknown .(tpa/atlas).server value '$atlasServer'. Expected 'stage' or 'production'.\"\n exit 1\n fi\nfi\n\necho -n \"$atlasApiUrl\" \u003e \"/tekton/results/atlasApiUrl\"\necho -n \"$ssoTokenUrl\" \u003e \"/tekton/results/ssoTokenUrl\"\necho -n \"$secretName\" \u003e \"/tekton/results/secretName\"\necho -n \"$retryAWSSecretName\" \u003e \"/tekton/results/retryAWSSecretName\"\necho -n \"$retryS3Bucket\" \u003e \"/tekton/results/retryS3Bucket\"\n" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=68", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/7f310be0-4432-42ee-a63d-221f3cb8f8e6", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:44:54Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "filter-already-released-images", "tekton.dev/task": "filter-already-released-images" }, "name": "managed-gfn6w-filter-already-released-images", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "46172", "uid": "7f310be0-4432-42ee-a63d-221f3cb8f8e6" }, "spec": { "params": [ { "name": "snapshotPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:6ad3f682b24cb86ce3cb659e346b1b333452204818c5c744b9cd41af27b5dff3" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/filter-already-released-images/filter-already-released-images.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:45:06Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:45:06Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-filter-already-released-images-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/filter-already-released-images/filter-already-released-images.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "skip_release", "type": "string", "value": "false" }, { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:c2d14dcdbd825f47250880dfdc6cdaae015b7c37833223581b07cb1794712e6b" } ], "startTime": "2026-04-25T08:44:54Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://33e59fd5261af6a561a89f3861b32c07cdcf2f95f05b5d4241f9e25a2b295236", "exitCode": 0, "finishedAt": "2026-04-25T08:45:02Z", "reason": "Completed", "startedAt": "2026-04-25T08:45:02Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://df255078b1a4e470d91c9fbb14f27062b31086daff45ba78d4f01bb444b554bb", "exitCode": 0, "finishedAt": "2026-04-25T08:45:06Z", "message": "[{\"key\":\"skip_release\",\"value\":\"false\",\"type\":1},{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:c2d14dcdbd825f47250880dfdc6cdaae015b7c37833223581b07cb1794712e6b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:04Z" }, "terminationReason": "Completed" }, { "container": "step-filter-already-released-images", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "filter-already-released-images", "terminated": { "containerID": "cri-o://e0c8110e430a2529b4642a18ac211be0a966ae10020eeacad9570ebd3a42c40c", "exitCode": 0, "finishedAt": "2026-04-25T08:45:03Z", "message": "[{\"key\":\"skip_release\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:03Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to filter out images from a snapshot that have already been released.\nThis task checks target registries to determine if push-snapshot has completed successfully\nfor each component by validating that ALL required tags exist with the correct digest.\nComponents that are fully released (all tags present) are filtered out before conforma validation.\n\nTag-level validation ensures complete releases and prevents filtering components with\npartial tag pushes. A component is only filtered if ALL repositories have ALL\nrequired tags pointing to the correct digest.\n\nThe task overwrites the original snapshot file in place with a filtered version\ncontaining only unpublished or partially published images.\n\nThis task must run AFTER apply-mapping since it needs the mapped target repositories\nand their required tags from the enriched snapshot stored in trusted artifacts", "params": [ { "description": "Path to the JSON string of the Snapshot spec in the data workspace", "name": "snapshotPath", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository.\nAn empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "default": "https://github.com/konflux-ci/release-service-catalog.git", "description": "The url to the git repo where the release-service-catalog tasks to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "Whether to skip release tasks (true if all components are already released)", "name": "skip_release", "type": "string" }, { "description": "The location of the source data artifact in the OCI repository", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:6ad3f682b24cb86ce3cb659e346b1b333452204818c5c744b9cd41af27b5dff3=/var/workdir/release" ], "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "1Gi" }, "requests": { "cpu": "250m", "memory": "1Gi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "filter-already-released-images", "script": "#!/usr/bin/env bash\nset -eux\n\nif [ -f \"/mnt/trusted-ca/ca-bundle.crt\" ]; then\n export SSL_CERT_FILE=\"/mnt/trusted-ca/ca-bundle.crt\"\nfi\n\nSNAPSHOT_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\"\n\nif [ ! -f \"${SNAPSHOT_FILE}\" ]; then\n echo \"Error: Snapshot file not found: ${SNAPSHOT_FILE}\"\n exit 1\nfi\n\nSNAPSHOT_JSON=$(cat \"${SNAPSHOT_FILE}\")\nCOMPONENT_COUNT=$(jq '.components | length' \u003c\u003c\u003c \"${SNAPSHOT_JSON}\")\n\nFILTERED_COMPONENTS='[]'\nFILTERED_COUNT=0\n\nfor ((i=0; i\u003cCOMPONENT_COUNT; i++)); do\n COMPONENT=$(jq -c \".components[$i]\" \u003c\u003c\u003c \"${SNAPSHOT_JSON}\")\n COMPONENT_NAME=$(jq -r '.name' \u003c\u003c\u003c \"${COMPONENT}\")\n CONTAINER_IMAGE=$(jq -r '.containerImage' \u003c\u003c\u003c \"${COMPONENT}\")\n\n # Get the component image digest using oras resolve (same as push-snapshot)\n # This ensures we compare manifest index digests, not platform-specific ones\n COMPONENT_AUTH_FILE=$(mktemp)\n if ! select-oci-auth \"${CONTAINER_IMAGE}\" \u003e \"${COMPONENT_AUTH_FILE}\" 2\u003e/dev/null || \\\n [ ! -s \"${COMPONENT_AUTH_FILE}\" ]; then\n echo '{}' \u003e \"${COMPONENT_AUTH_FILE}\"\n fi\n\n # Try to resolve the component image. If this fails for ANY reason\n # (auth, network, not found, etc.), treat as \"not released\"\n if ! DIGEST=$(oras resolve --registry-config \"${COMPONENT_AUTH_FILE}\" \\\n \"${CONTAINER_IMAGE}\" 2\u003e/dev/null); then\n echo \"WARNING: Cannot resolve component image ${CONTAINER_IMAGE}, treating as not yet released\"\n FILTERED_COMPONENTS=$(jq --argjson comp \"${COMPONENT}\" '. += [$comp]' \u003c\u003c\u003c \"${FILTERED_COMPONENTS}\")\n rm -f \"${COMPONENT_AUTH_FILE}\"\n continue\n fi\n rm -f \"${COMPONENT_AUTH_FILE}\"\n\n if [ -z \"${DIGEST}\" ]; then\n echo \"WARNING: Empty digest for ${CONTAINER_IMAGE}, treating as not yet released\"\n FILTERED_COMPONENTS=$(jq --argjson comp \"${COMPONENT}\" '. += [$comp]' \u003c\u003c\u003c \"${FILTERED_COMPONENTS}\")\n continue\n fi\n\n echo \" Component digest: ${DIGEST}\"\n\n # Check if component has repositories (added by apply-mapping)\n REPOSITORIES=$(jq -c '.repositories // []' \u003c\u003c\u003c \"${COMPONENT}\")\n NUM_REPOS=$(jq 'length' \u003c\u003c\u003c \"${REPOSITORIES}\")\n\n if [ \"${NUM_REPOS}\" -eq 0 ]; then\n echo \"WARNING: No repositories found for component ${COMPONENT_NAME}\"\n echo \" Component will be kept (not filtered) since there are no target repos to check\"\n FILTERED_COMPONENTS=$(jq --argjson comp \"${COMPONENT}\" \\\n '. += [$comp]' \u003c\u003c\u003c \"${FILTERED_COMPONENTS}\")\n continue\n fi\n\n echo \"Checking component: ${COMPONENT_NAME} (${NUM_REPOS} target repositories)\"\n\n # Check if ALL required tags exist with correct digest in ANY target repository\n # We consider the component \"released\" if it is fully released to ANY of the\n # mapped registries (i.e., if any repository has all required tags pointing\n # to the same manifest digest).\n ALL_TAGS_COMPLETE=\"false\"\n\n for ((j=0; j\u003cNUM_REPOS; j++)); do\n REPO_OBJ=$(jq -c \".[$j]\" \u003c\u003c\u003c \"${REPOSITORIES}\")\n REPO_URL=$(jq -r '.url // \"\"' \u003c\u003c\u003c \"${REPO_OBJ}\")\n REPO_TAGS=$(jq -c '.tags // []' \u003c\u003c\u003c \"${REPO_OBJ}\")\n\n if [ -z \"${REPO_URL}\" ]; then\n echo \" WARNING: Repository #$((j+1)) has empty URL, skipping\"\n continue\n fi\n\n NUM_TAGS=$(jq 'length' \u003c\u003c\u003c \"${REPO_TAGS}\")\n\n if [ \"${NUM_TAGS}\" -eq 0 ]; then\n echo \" WARNING: Repository ${REPO_URL} has no tags specified, skipping\"\n continue\n fi\n\n echo \" Checking repository: ${REPO_URL} (${NUM_TAGS} tags)\"\n\n REPO_COMPLETE=\"true\"\n for ((k=0; k\u003cNUM_TAGS; k++)); do\n TAG=$(jq -r \".[$k]\" \u003c\u003c\u003c \"${REPO_TAGS}\")\n TARGET_IMAGE=\"${REPO_URL}:${TAG}\"\n\n # Try to create auth file for target registry (optional for public/test registries)\n TARGET_AUTH_FILE=$(mktemp)\n if ! select-oci-auth \"${REPO_URL}\" \u003e \"${TARGET_AUTH_FILE}\" 2\u003e/dev/null || \\\n [ ! -s \"${TARGET_AUTH_FILE}\" ]; then\n # No auth available, use empty config\n echo '{}' \u003e \"${TARGET_AUTH_FILE}\"\n fi\n\n # Try to resolve the target image. If this fails for ANY reason,\n # treat as \"not found\" (repository doesn't exist, tag missing, etc.)\n if ! ACTUAL_DIGEST=$(oras resolve --registry-config \"${TARGET_AUTH_FILE}\" \\\n \"${TARGET_IMAGE}\" 2\u003e/dev/null); then\n echo \" Tag ${TAG}: Cannot resolve (treating as not found)\"\n REPO_COMPLETE=\"false\"\n rm -f \"${TARGET_AUTH_FILE}\"\n break\n fi\n rm -f \"${TARGET_AUTH_FILE}\"\n\n if [ -z \"${ACTUAL_DIGEST}\" ]; then\n # Tag doesn't exist\n echo \" Tag ${TAG}: NOT FOUND\"\n REPO_COMPLETE=\"false\"\n break\n elif [ \"${ACTUAL_DIGEST}\" != \"${DIGEST}\" ]; then\n # Tag exists but points to wrong digest\n echo \" Tag ${TAG}: DIGEST MISMATCH\"\n echo \" Expected: ${DIGEST}\"\n echo \" Found: ${ACTUAL_DIGEST}\"\n REPO_COMPLETE=\"false\"\n break\n else\n echo \" Tag ${TAG}: ✅ MATCH (${ACTUAL_DIGEST})\"\n fi\n done\n\n # If this repository is complete (all tags present and digests matched)\n # then this component can be treated as already released (any-repo logic)\n if [ \"${REPO_COMPLETE}\" == \"true\" ]; then\n ALL_TAGS_COMPLETE=\"true\"\n # We can stop checking other repos, one match is sufficient\n break\n fi\n done\n\n if [ \"${ALL_TAGS_COMPLETE}\" == \"true\" ]; then\n echo \"✅ Component ${COMPONENT_NAME}: FILTERED (already released)\"\n FILTERED_COUNT=$((FILTERED_COUNT + 1))\n else\n echo \"⏭️ Component ${COMPONENT_NAME}: KEPT (needs to be released)\"\n FILTERED_COMPONENTS=$(jq --argjson comp \"${COMPONENT}\" '. += [$comp]' \u003c\u003c\u003c \"${FILTERED_COMPONENTS}\")\n fi\n echo \"\"\ndone\n\n# Update snapshot with filtered components\nFILTERED_SNAPSHOT=$(jq --argjson comps \"${FILTERED_COMPONENTS}\" '.components = $comps' \u003c\u003c\u003c \"${SNAPSHOT_JSON}\")\necho \"${FILTERED_SNAPSHOT}\" \u003e \"${SNAPSHOT_FILE}\"\n\n# Summary\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\necho \"SUMMARY:\"\necho \" Total components: ${COMPONENT_COUNT}\"\necho \" Filtered (already released): ${FILTERED_COUNT}\"\necho \" To be released: $((COMPONENT_COUNT - FILTERED_COUNT))\"\necho \"━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\"\n\n# Set skip_release=true if all components were filtered\nif [ \"${FILTERED_COUNT}\" -eq \"${COMPONENT_COUNT}\" ] \u0026\u0026 [ \"${COMPONENT_COUNT}\" -gt 0 ]; then\n echo -n \"true\" \u003e \"/tekton/results/skip_release\"\nelse\n echo -n \"false\" \u003e \"/tekton/results/skip_release\"\nfi\n" }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=73", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/edb2927a-30fe-4d4b-b2c5-0003f2fb463a", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:46:06Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.2.0", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "process-component-sbom", "tekton.dev/task": "augment-component-sboms-ta" }, "name": "managed-gfn6w-process-component-sbom", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "47198", "uid": "edb2927a-30fe-4d4b-b2c5-0003f2fb463a" }, "spec": { "params": [ { "name": "resultsDirPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/results" }, { "name": "snapshotSpec", "value": "2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "releaseData", "value": "2e8f5616-b364-4304-9c89-016c508710de/data.json" }, { "name": "retryAWSSecretName", "value": "secret-not-present" }, { "name": "retryS3Bucket", "value": "" }, { "name": "atlasSecretName", "value": "release-sso-secret" }, { "name": "ssoTokenUrl", "value": "https://tsf-sso.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/realms/tsf-iam/protocol/openid-connect/token" }, { "name": "atlasApiUrl", "value": "https://server-tsf-tpa.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:c2d14dcdbd825f47250880dfdc6cdaae015b7c37833223581b07cb1794712e6b" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" }, { "name": "cosignSecretName", "value": "secret-not-present" }, { "name": "attestationPubKey", "value": "k8s://openshift-pipelines/public-key" }, { "name": "defaultOIDCIssuer", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "rekorExternalUrl", "value": "https://rekor-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com" }, { "name": "fulcioExternalUrl", "value": "https://fulcio-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com" }, { "name": "tufExternalUrl", "value": "https://tuf-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com" }, { "name": "buildIdentityRegexp", "value": "^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/mobster.git" }, { "name": "revision", "value": "fb3aaa43fb938f05c3f175a7e4c699da63c5f34b" }, { "name": "pathInRepo", "value": "tasks/augment-component-sboms-ta/0.3/augment-component-sboms-ta.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:46:30Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:46:30Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-process-component-sbom-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "fb3aaa43fb938f05c3f175a7e4c699da63c5f34b" }, "entryPoint": "tasks/augment-component-sboms-ta/0.3/augment-component-sboms-ta.yaml", "uri": "git+https://github.com/konflux-ci/mobster.git" } }, "results": [ { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:d9311c670797e79ce8ad9cfc3ad05e895eff72f2e8edd1a6f9e1626447f3faac" } ], "startTime": "2026-04-25T08:46:06Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://1e0ff1e84b70d539e09f22a9fa9c1c62731c0f0227b4ce252f3b0309ad57dd67", "exitCode": 0, "finishedAt": "2026-04-25T08:46:21Z", "reason": "Completed", "startedAt": "2026-04-25T08:46:20Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://7a604462bf501a5e503cab5052aabd5249bdf87f37dcfe661ceb3a5e3c0e6b64", "exitCode": 0, "finishedAt": "2026-04-25T08:46:30Z", "message": "[{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:d9311c670797e79ce8ad9cfc3ad05e895eff72f2e8edd1a6f9e1626447f3faac\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:46:29Z" }, "terminationReason": "Completed" }, { "container": "step-process-component-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:6031da763d8e624d21cd9be1f91e90449b5801227c52adbf76b964895c0718b9", "name": "process-component-sboms", "terminated": { "containerID": "cri-o://74b2e04cec99fa11497a8dc08fe75a34ac7a20c94d868619fc4831abc66a9926", "exitCode": 0, "finishedAt": "2026-04-25T08:46:28Z", "reason": "Completed", "startedAt": "2026-04-25T08:46:21Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Update component-level SBOMs with release-time information, optionally upload them to Atlas and S3.", "params": [ { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the trusted artifact stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used for trusted artifact stepactions", "name": "taskGitRevision", "type": "string" }, { "description": "Path to the mapped snapshot spec.", "name": "snapshotSpec", "type": "string" }, { "description": "The name of the K8s secret containing the 'sso_account' and 'sso_token' keys used for Atlas OIDC authentication.\n", "name": "atlasSecretName", "type": "string" }, { "default": "secret-not-present", "description": "The name of the K8s secret containing the 'atlas-aws-access-key-id' and 'atlas-aws-secret-access-key' keys used for AWS S3 access.\n", "name": "retryAWSSecretName", "type": "string" }, { "default": "", "description": "The name of the S3 bucket used to store data for the retry mechanism.\n", "name": "retryS3Bucket", "type": "string" }, { "default": "", "description": "URL of the Atlas API host.", "name": "atlasApiUrl", "type": "string" }, { "default": "", "description": "URL of the SSO token issuer.", "name": "ssoTokenUrl", "type": "string" }, { "default": "", "description": "Path to the certificate authority bundle to set up TPA requests.", "name": "caPath", "type": "string" }, { "default": "8", "description": "Maximum number of SBOMs that will be augmented concurrently. Higher\nlimit will speed up execution for larger snapshots, but will have\nhigher memory requirements.\n", "name": "augmentConcurrency", "type": "string" }, { "default": "8", "description": "Maximum number of SBOMs that will be uploaded to Atlas concurrently.\nHigher limit will speed up execution for larger snapshots, but will\nhave higher memory requirements.\n", "name": "uploadConcurrency", "type": "string" }, { "description": "Path to directory in the dataDir to store JSON task results to.", "name": "resultsDirPath", "type": "string" }, { "default": "secret-not-present", "description": "K8s secret name with a cosign signing key used for SBOM attestation.", "name": "cosignSecretName", "type": "string" }, { "default": "", "description": "K8s reference to a secret containing a key for verifying provenance attestations", "name": "attestationPubKey", "type": "string" }, { "description": "Path to the merged data file from collect-data in the dataDir.", "name": "releaseData", "type": "string" }, { "default": "", "description": "A default OIDC issuer URL to be used for signing.", "name": "defaultOIDCIssuer", "type": "string" }, { "default": "", "description": "The external URL of the Rekor transparency log.", "name": "rekorExternalUrl", "type": "string" }, { "default": "", "description": "The external URL of the Fulcio certificate authority.", "name": "fulcioExternalUrl", "type": "string" }, { "default": "", "description": "The external URL of the TUF repository.", "name": "tufExternalUrl", "type": "string" }, { "default": "", "description": "A regular expression to extract build identity from the OIDC token claims, if applicable.\n", "name": "buildIdentityRegexp", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:c2d14dcdbd825f47250880dfdc6cdaae015b7c37833223581b07cb1794712e6b=/var/workdir/release" ], "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "2Gi" }, "requests": { "cpu": "350m", "memory": "2Gi" } }, "env": [ { "name": "MOBSTER_TPA_SSO_ACCOUNT", "valueFrom": { "secretKeyRef": { "key": "sso_account", "name": "release-sso-secret", "optional": true } } }, { "name": "MOBSTER_TPA_SSO_TOKEN", "valueFrom": { "secretKeyRef": { "key": "sso_token", "name": "release-sso-secret", "optional": true } } }, { "name": "MOBSTER_TPA_SSO_TOKEN_URL", "value": "https://tsf-sso.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/realms/tsf-iam/protocol/openid-connect/token" }, { "name": "MOBSTER_TPA_CA_INFO" }, { "name": "AWS_ACCESS_KEY_ID", "valueFrom": { "secretKeyRef": { "key": "atlas-aws-access-key-id", "name": "secret-not-present", "optional": true } } }, { "name": "AWS_SECRET_ACCESS_KEY", "valueFrom": { "secretKeyRef": { "key": "atlas-aws-secret-access-key", "name": "secret-not-present", "optional": true } } }, { "name": "AWS_DEFAULT_REGION", "value": "us-east-1" }, { "name": "SIGN_KEY", "valueFrom": { "secretKeyRef": { "key": "SIGN_KEY", "name": "secret-not-present", "optional": true } } }, { "name": "COSIGN_AWS_DEFAULT_REGION", "valueFrom": { "secretKeyRef": { "key": "AWS_DEFAULT_REGION", "name": "secret-not-present", "optional": true } } }, { "name": "COSIGN_AWS_ACCESS_KEY_ID", "valueFrom": { "secretKeyRef": { "key": "AWS_ACCESS_KEY_ID", "name": "secret-not-present", "optional": true } } }, { "name": "COSIGN_AWS_SECRET_ACCESS_KEY", "valueFrom": { "secretKeyRef": { "key": "AWS_SECRET_ACCESS_KEY", "name": "secret-not-present", "optional": true } } } ], "image": "quay.io/konflux-ci/mobster@sha256:a70cc191987b39b3b4e67ec4fecc26baa0a5197530bf67049604880c3789fbd7", "name": "process-component-sboms", "script": "#!/usr/bin/env bash\nset -eux\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nsystem_bundle=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cat \"$ca_bundle\" \u003e\u003e \"$system_bundle\"\nfi\n\n# This is a little fragile, ideally it would be just a param. It's here\n# for consistency with other tasks in release-service-catalog. The\n# script below will verify that the release_id has the correct format.\nrelease_id=$(dirname \"2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\")\n\nmobster_args=(\n --data-dir \"/var/workdir/release\"\n --snapshot-spec \"2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\"\n --atlas-api-url \"https://server-tsf-tpa.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\"\n --release-id \"$release_id\"\n --augment-concurrency \"8\"\n --upload-concurrency \"8\"\n --result-dir \"2e8f5616-b364-4304-9c89-016c508710de/results\"\n --release-data \"2e8f5616-b364-4304-9c89-016c508710de/data.json\"\n)\n# Params are basically Bash commands, their value\n# has to be checked with -n. Env variables should\n# be checked with -v to not leak expanded secrets\n# through xtrace. Bash conditionals ([[) have to\n# be used instead of Shell conditionals ([) to use -v\nif [[ -n \"https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j\" \\\n \u0026\u0026 -n \"https://rekor-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\" \\\n \u0026\u0026 -n \"https://fulcio-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\" \\\n \u0026\u0026 -n \"https://tuf-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\" \\\n \u0026\u0026 -n \"^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$\" \\\n]]; then\n # Keyless signing is used for augmentation\n cosign initialize --root \"https://tuf-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/root.json\" \\\n --mirror \"https://tuf-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\"\n mobster_args+=(\n --oidc-token /var/run/sigstore/cosign/oidc-token\n --fulcio-url \"https://fulcio-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\"\n --oidc-issuer \"https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j\"\n --oidc-identity-pattern \"^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$\"\n --rekor-url \"https://rekor-server-tsf-tas.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com\"\n )\nelif [[ -n \"k8s://openshift-pipelines/public-key\" \\\n \u0026\u0026 -v SIGN_KEY \\\n \u0026\u0026 -v COSIGN_AWS_DEFAULT_REGION \\\n \u0026\u0026 -v COSIGN_AWS_ACCESS_KEY_ID \\\n \u0026\u0026 -v COSIGN_AWS_SECRET_ACCESS_KEY\n]]; then\n # Static key signing is used for augmentation\n mobster_args+=(\n --verify-key \"k8s://openshift-pipelines/public-key\"\n --sign-key \"$SIGN_KEY\"\n )\nfi\nif [[ -n \"\" ]]; then\n mobster_args+=(\n --retry-s3-bucket \"\"\n )\nfi\nprocess_component_sboms \"${mobster_args[@]}\"\n", "volumeMounts": [ { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 1800, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=71", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/58f1e717-edff-486d-8af4-540e073d554f", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:45:40Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "push-snapshot", "tekton.dev/task": "push-snapshot" }, "name": "managed-gfn6w-push-snapshot", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "46796", "uid": "58f1e717-edff-486d-8af4-540e073d554f" }, "spec": { "params": [ { "name": "snapshotPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "dataPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/data.json" }, { "name": "resultsDirPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/results" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:c2d14dcdbd825f47250880dfdc6cdaae015b7c37833223581b07cb1794712e6b" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "retries": 5, "serviceAccountName": "release-pipeline", "stepSpecs": [ { "computeResources": { "limits": { "memory": "1Gi" }, "requests": { "cpu": "10m", "memory": "256Mi" } }, "name": "push-snapshot" } ], "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/push-snapshot/push-snapshot.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:46:06Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:46:06Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-push-snapshot-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/push-snapshot/push-snapshot.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:7343aa534558c5f991bde351eae26d1a484d6f9c5fc2852064c95a8c152ed7b6" } ], "startTime": "2026-04-25T08:45:40Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://16f29fcb9e4a1e81113114364d3d6b3c9062e146694baf4b274272b7882f52e8", "exitCode": 0, "finishedAt": "2026-04-25T08:46:00Z", "reason": "Completed", "startedAt": "2026-04-25T08:46:00Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://a070cf6f8abaacf1cc455b4cad24aef3301f46da62638e2fadd296a8de0c9a19", "exitCode": 0, "finishedAt": "2026-04-25T08:46:05Z", "message": "[{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:7343aa534558c5f991bde351eae26d1a484d6f9c5fc2852064c95a8c152ed7b6\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:46:04Z" }, "terminationReason": "Completed" }, { "container": "step-push-snapshot", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:3cb03b14ac9d90ff27070036ce2b50712e65aa285daeb28852254a745bb25dfc", "name": "push-snapshot", "terminated": { "containerID": "cri-o://7a4f8437c6d4e2f11c61ff7d0b5e3379c72f40dfcbecb664f49110fcdbccc6e8", "exitCode": 0, "finishedAt": "2026-04-25T08:46:03Z", "reason": "Completed", "startedAt": "2026-04-25T08:46:00Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to push snapshot images to an image registry using `cosign copy`.", "params": [ { "description": "Path to the JSON string of the mapped Snapshot spec in the data workspace", "name": "snapshotPath", "type": "string" }, { "description": "Path to the JSON string of the merged data to use in the data workspace", "name": "dataPath", "type": "string" }, { "description": "Path to the results directory in the data workspace", "name": "resultsDirPath", "type": "string" }, { "default": "20", "description": "The maximum number of images to be proccessed concurrently", "name": "concurrentLimit", "type": "string" }, { "default": "3", "description": "Retry copy N times", "name": "retries", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "false", "description": "Enable copying of attached artifacts", "name": "copyBundleMigrations", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:c2d14dcdbd825f47250880dfdc6cdaae015b7c37833223581b07cb1794712e6b=/var/workdir/release" ], "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "1Gi" }, "requests": { "cpu": "2", "memory": "1Gi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:3cb03b14ac9d90ff27070036ce2b50712e65aa285daeb28852254a745bb25dfc", "name": "push-snapshot", "script": "#!/usr/bin/env bash\nset -eux\n\nif [ -f \"/mnt/trusted-ca/ca-bundle.crt\" ]; then\n export SSL_CERT_FILE=\"/mnt/trusted-ca/ca-bundle.crt\"\nfi\n\npush_image () { # Expected arguments are [origin_digest, name, containerImage, repository, tag, platform]\n # note: Inspection might fail on empty repos, hence `|| true`\n\n # oras has very limited support for selecting the right auth entry,\n # so create a custom auth file with just one entry.\n DEST_AUTH_FILE=$(mktemp)\n registry=$(echo \"$4\" | cut -d '/' -f 1)\n if [ \"$registry\" = \"docker.io\" ]; then\n # For docker.io, the auth key will always be https://index.docker.io/v1/\n select-oci-auth \"$4\" \u003e \"$DEST_AUTH_FILE\"\n else\n # For other registries, the auth key will be modified to the full repository path, so that\n # we can create a combined auth file with source and destination entries for `cosign copy` later\n select-oci-auth \"$4\" | jq -c \\\n '.auths.\"'\"$4\"'\" = .auths.\"'\"$registry\"'\" | del(.auths.\"'\"$registry\"'\")' \u003e \"$DEST_AUTH_FILE\"\n fi\n\n oras_args=()\n if [ -n \"$6\" ]; then\n oras_args=(--platform \"$6\")\n fi\n\n destination_digest=$(oras resolve --registry-config \"$DEST_AUTH_FILE\" \"$4:$5\" || true)\n\n if [[ \"$destination_digest\" != \"$1\" || -z \"$destination_digest\" ]]; then\n printf '* Pushing component: %s to %s:%s\\n' \"$2\" \"$4\" \"$5\"\n # Create a combined auth file to enable partial oci matches to work\n DOCKER_CONFIG=\"$(mktemp -d)\"\n export DOCKER_CONFIG\n # shellcheck disable=SC2128\n jq -s 'reduce .[] as $item ({}; . * $item)' \\\n \"$SOURCE_AUTH_FILE\" \"$DEST_AUTH_FILE\" \u003e \"$DOCKER_CONFIG\"/config.json\n\n # Check if we should copy attached artifacts\n if [[ \"$COPY_BUNDLE_MIGRATIONS\" == \"true\" ]]; then\n # Check for any attached artifacts using oras discover, with retries on failure\n printf '* Checking for attached artifacts on %s\\n' \"$3\"\n artifact_count=\"0\"\n discover_attempt=0\n discover_succeeded=false\n until [ \"$discover_attempt\" -gt \"3\" ]; do # same retry style as copy loop\n if oras discover \\\n --registry-config \"$SOURCE_AUTH_FILE\" \\\n \"$3\" \\\n --format json \\\n \u003e/tmp/artifacts.json\n then\n artifact_count=$(jq -r '.referrers | length' /tmp/artifacts.json || echo \"0\")\n echo \"Found $artifact_count artifacts\"\n discover_succeeded=true\n break\n else\n rc=$?\n echo \"oras discover failed (attempt $((discover_attempt+1))) with exit code $rc\"\n discover_attempt=$((discover_attempt+1))\n fi\n done\n if [ \"$discover_succeeded\" != true ]; then\n echo \"Max retries exceeded. Proceeding without attached artifacts (falling back to cosign copy).\"\n fi\n fi\n\n attempt=0\n until [ \"$attempt\" -gt \"3\" ] ; do # 0 retries by default which will execute this once\n if [[ \"$COPY_BUNDLE_MIGRATIONS\" == \"true\" \u0026\u0026 \"${artifact_count}\" -gt 0 ]]; then\n # Copy the image and all attached artifacts\n oras cp -r \\\n --from-registry-config \"$SOURCE_AUTH_FILE\" \\\n --to-registry-config \"$DEST_AUTH_FILE\" \\\n \"${oras_args[@]}\" \\\n \"$3\" \\\n \"$4:$5\" \\\n \u0026\u0026 break\n else\n # Fallback to classic image copy\n cosign copy -f \"$3\" \"$4:$5\" \u0026\u0026 break\n fi\n attempt=$((attempt+1))\n done\n if [ \"$attempt\" -gt \"3\" ] ; then\n echo \"Max retries exceeded.\"\n exit 1\n fi\n # Only the cosign call above needs this custom Docker config. Unset it, so that skopeo call\n # in get-image-architecture uses the default config in ~/.docker/config.json (this one would break it)\n unset DOCKER_CONFIG\n else\n printf '* Component push skipped (source digest exists at destination): %s (%s)\\n' \\\n \"$2\" \"$3\"\n fi\n jq -n --arg name \"$2\" --arg url \"$4:$5\" '{name: $name, url: $url}' \u003e \"$TMP_RESULTS_DIR/$2-$5.json\"\n}\n\n# Push migration artifact using oras cp\n# Expected arguments are [source_repo, migration_digest, name, repository, migration_tag, source_auth_file]\npush_migration_artifact () {\n local source_repo=\"$1\"\n local migration_digest=\"$2\"\n local name=\"$3\"\n local repository=\"$4\"\n local migration_tag=\"$5\"\n local source_auth_file=\"$6\"\n\n local migration_source=\"${source_repo}@${migration_digest}\"\n\n # Create destination auth file\n local dest_auth_file\n dest_auth_file=$(mktemp)\n local dest_registry\n dest_registry=$(echo \"$repository\" | cut -d '/' -f 1)\n if [ \"$dest_registry\" = \"docker.io\" ]; then\n select-oci-auth \"$repository\" \u003e \"$dest_auth_file\"\n else\n select-oci-auth \"$repository\" | jq -c \\\n '.auths.\"'\"$repository\"'\" = .auths.\"'\"$dest_registry\"'\" | del(.auths.\"'\"$dest_registry\"'\")' \\\n \u003e \"$dest_auth_file\"\n fi\n\n # Check if migration artifact already exists at destination\n local destination_digest\n destination_digest=$(oras resolve --registry-config \"$dest_auth_file\" \\\n \"${repository}:${migration_tag}\" || true)\n\n if [[ \"$destination_digest\" != \"$migration_digest\" || -z \"$destination_digest\" ]]; then\n printf '* Pushing migration artifact for component: %s to %s:%s\\n' \"$name\" \"$repository\" \"$migration_tag\"\n\n local attempt=0\n until [ \"$attempt\" -gt \"3\" ] ; do\n if oras cp \\\n --from-registry-config \"$source_auth_file\" \\\n --to-registry-config \"$dest_auth_file\" \\\n \"$migration_source\" \\\n \"${repository}:${migration_tag}\"\n then\n break\n fi\n attempt=$((attempt+1))\n echo \"Migration artifact copy failed (attempt $attempt)\"\n done\n if [ \"$attempt\" -gt \"3\" ] ; then\n echo \"Max retries exceeded for migration artifact copy.\"\n exit 1\n fi\n else\n printf '* Migration artifact push skipped (already exists at destination): %s (%s)\\n' \\\n \"$name\" \"$migration_source\"\n fi\n}\n\nSNAPSHOT_SPEC_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\"\nif [ ! -f \"${SNAPSHOT_SPEC_FILE}\" ] ; then\n echo \"No valid snapshot file was provided.\"\n exit 1\nfi\n\nDATA_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/data.json\"\nif [ ! -f \"${DATA_FILE}\" ] ; then\n echo \"No data JSON was provided.\"\n exit 1\nfi\n\nif [ \"$(jq '.components | map(select(.repositories |\n map(select((has(\"tags\")|not) or (.tags | IN([])))) | length \u003e 0)) | length' \\\n \"${SNAPSHOT_SPEC_FILE}\")\" -ne 0 ] ; then\n echo \"Found components in the snapshot file that do not contain tags. Failing\"\n cat \"${SNAPSHOT_SPEC_FILE}\"\n exit 1\nfi\n\nRESULTS_FILE=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/results/push-snapshot-results.json\"\nRESULTS_JSON_FILE=$(mktemp)\necho '{\"images\":[]}' \u003e \"$RESULTS_JSON_FILE\"\n\n# Initialize memory throttling\n# This file is located at utils/memory-throttle.sh in the release-service-utils image\n# shellcheck source=/dev/null\nsource memory-throttle.sh\n# This function is stored in the utils/memory-throttle.sh file\nlog_memory_throttle_status 80\n\nRUNNING_JOBS=\"\\j\" # A Bash param for number of jobs running\nCONCURRENT_LIMIT=20\nBURST_SIZE=5\nSTABILIZATION_DELAY=2\nREQUEST_COUNT=0\nSUCCESS=true\njobs_spawned=0\njobs_collected=0\n\n# Wait for a slot to open up in the concurrent limit and for memory to be available\nwait_for_slot () {\n # This function is stored in the utils/memory-throttle.sh file\n # First wait for memory to be available\n wait_for_memory 80\n # Then wait for concurrent limit\n while (( ${RUNNING_JOBS@P} \u003e= \"$CONCURRENT_LIMIT\" )); do\n wait -n || SUCCESS=false\n jobs_collected=$((jobs_collected + 1))\n done\n}\n\n# Create a temporary directory to store the results of each push\nTMP_RESULTS_DIR=$(mktemp -d)\n\ndefaultPushSourceContainer=$(jq -r \\\n '.mapping.defaults.pushSourceContainer | if . == null then true else . end' \"$DATA_FILE\")\nCOPY_BUNDLE_MIGRATIONS=\"false\"\n\ncomponentGroup=$(jq -r '.componentGroup' \"${SNAPSHOT_SPEC_FILE}\")\nNUM_COMPONENTS=$(jq '.components | length' \"${SNAPSHOT_SPEC_FILE}\")\nprintf 'Beginning \"%s\" for \"%s\"\\n\\n' \"managed-gfn6w-push-snapshot\" \"$componentGroup\"\nfor ((i = 0; i \u003c NUM_COMPONENTS; i++))\ndo\n component=$(jq -c --argjson i \"$i\" '.components[$i]' \"${SNAPSHOT_SPEC_FILE}\")\n containerImage=$(jq -r '.containerImage' \u003c\u003c\u003c \"$component\")\n\n # oras has very limited support for selecting the right auth entry,\n # so create a custom auth file with just one entry.\n registry=$(echo \"${containerImage}\" | cut -d '/' -f 1)\n # Apply-mapping ensures that the containerImage contains a sha256 digest\n source_repo=${containerImage%%@sha256:*}\n SOURCE_AUTH_FILE=$(mktemp)\n select-oci-auth \"${containerImage}\" | jq -c \\\n '.auths.\"'\"$source_repo\"'\" = .auths.\"'\"$registry\"'\" | del(.auths.\"'\"$registry\"'\")' \u003e \"$SOURCE_AUTH_FILE\"\n\n arch_json=$(get-image-architectures \"${containerImage}\")\n arches=$(jq -s 'map(.platform.architecture)' \u003c\u003c\u003c \"$arch_json\")\n oses=$(jq -s 'map(.platform.os)' \u003c\u003c\u003c \"$arch_json\")\n\n # Just read the first from the list of architectures\n os=$(jq -r '.[0]' \u003c\u003c\u003c \"$oses\")\n arch=$(jq -r '.[0]' \u003c\u003c\u003c \"$arches\")\n name=$(jq -r '.name' \u003c\u003c\u003c \"$component\")\n media_type=$(skopeo inspect --retry-times 3 --raw \"docker://${containerImage}\" | jq -r .mediaType)\n oras_args=()\n platform=\n if [[ \"$media_type\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" ]]\\\n || [[ \"$media_type\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n platform=$os/$arch\n oras_args=(--platform \"$platform\")\n fi\n\n # we do not use oras_args here since we want to get the manifest index image digest\n origin_digest=$(oras resolve --registry-config \"$SOURCE_AUTH_FILE\" \"${containerImage}\")\n\n jq --arg i \"$i\" --argjson arches \"$arches\" --argjson oses \"$oses\" --arg name \"$name\" \\\n --arg sha \"$origin_digest\" \\\n '.images[$i|tonumber] += {\"arches\": $arches, \"oses\": $oses, \"name\": $name, \"shasum\": $sha, \"urls\": []}' \\\n \"$RESULTS_JSON_FILE\" \u003e \"$RESULTS_JSON_FILE.tmp\" \u0026\u0026 mv \"$RESULTS_JSON_FILE.tmp\" \"$RESULTS_JSON_FILE\"\n\n # Push source container if the component has pushSourceContainer: true or if the\n # pushSourceContainer key is missing from the component and the defaults has\n # pushSourceContainer: true or omitted (defaultPushSourceContainer defaults to true)\n pushSourceContainer=$(jq -r '.pushSourceContainer' \u003c\u003c\u003c \"$component\")\n hasPushSourceContainer=$(jq 'has(\"pushSourceContainer\")' \u003c\u003c\u003c \"$component\")\n\n if [[ \"${pushSourceContainer}\" == \"true\" ]] || [[ \"${hasPushSourceContainer}\" == \"false\" \u0026\u0026 \\\n ${defaultPushSourceContainer} == \"true\" ]] ; then\n source_tag=${origin_digest/:/-}.src\n # Calculate the source container image based on the provided container image\n sourceContainer=\"${source_repo}:${source_tag}\"\n # Check if the source container exists\n source_container_digest=$(oras resolve --registry-config \"$SOURCE_AUTH_FILE\" \\\n \"${sourceContainer}\")\n\n if [ -z \"$source_container_digest\" ] ; then\n echo \"Error: Source container ${sourceContainer} not found!\"\n exit 1\n fi\n fi\n\n # Extract migration annotations if COPY_BUNDLE_MIGRATIONS is enabled\n migration_digest=\"\"\n migration_tag=\"\"\n if [[ \"$COPY_BUNDLE_MIGRATIONS\" == \"true\" ]]; then\n # Annotations are stored as [{name: key, value: value}, ...] in component.metadata.annotations\n migration_digest=$(jq -r '.metadata.annotations // [] |\n map(select(.name == \"dev.konflux-ci.task.migration.digest\")) |\n .[0].value // \"\"' \u003c\u003c\u003c \"$component\")\n migration_tag=$(jq -r '.metadata.annotations // [] |\n map(select(.name == \"dev.konflux-ci.task.migration.tag\")) |\n .[0].value // \"\"' \u003c\u003c\u003c \"$component\")\n if [ -n \"$migration_digest\" ] \u0026\u0026 [ -n \"$migration_tag\" ]; then\n printf '* Found migration annotations for component %s: digest=%s, tag=%s\\n' \\\n \"$name\" \"$migration_digest\" \"$migration_tag\"\n fi\n fi\n\n NUM_REPOS=$(jq -c '.repositories | length' \u003c\u003c\u003c \"$component\")\n for ((j = 0; j \u003c NUM_REPOS; j++)); do\n repository=$(jq -c --argjson j \"$j\" '.repositories[$j]' \u003c\u003c\u003c \"$component\")\n imageTags=$(jq '.tags' \u003c\u003c\u003c \"$repository\")\n repository_url=$(jq -r '.url' \u003c\u003c\u003c \"$repository\")\n\n if [ -n \"${source_container_digest-}\" ] ; then\n # Push the source image with the source tag here. The source image will be\n # pushed with the provided tags below in the loop\n wait_for_slot\n push_image \"${source_container_digest}\" \"${name}\" \"${sourceContainer}\" \\\n \"${repository_url}\" \"${source_tag}\" \"\" \u003e \"$TMP_RESULTS_DIR/${name}-${source_tag}.out\" 2\u003e\u00261 \u0026\n ((++REQUEST_COUNT))\n echo \"Request Count: $REQUEST_COUNT\"\n jobs_spawned=$((jobs_spawned + 1))\n # Allow memory usage to stabilize every BURST_SIZE spawns.\n if (( jobs_spawned % BURST_SIZE == 0 )); then\n sleep $STABILIZATION_DELAY\n fi\n fi\n\n for tag in $(jq -r '.[]' \u003c\u003c\u003c \"$imageTags\") ; do\n wait_for_slot\n # Push the container image\n push_image \"${origin_digest}\" \"${name}\" \"${containerImage}\" \"${repository_url}\" \"${tag}\" \\\n \"$platform\" \u003e \"$TMP_RESULTS_DIR/${name}-${tag}.out\" 2\u003e\u00261 \u0026\n ((++REQUEST_COUNT))\n echo \"Request Count: $REQUEST_COUNT\"\n jobs_spawned=$((jobs_spawned + 1))\n if (( jobs_spawned % BURST_SIZE == 0 )); then\n sleep $STABILIZATION_DELAY\n fi\n\n # This variable will only exist if the above logic determined the source container should\n # be pushed for this component\n if [ -n \"${source_container_digest-}\" ] ; then\n wait_for_slot\n push_image \"${source_container_digest}\" \"${name}\" \"${sourceContainer}\" \\\n \"${repository_url}\" \"${tag}-source\" \"\" \u003e \"$TMP_RESULTS_DIR/${name}-${tag}-source.out\" 2\u003e\u00261 \u0026\n ((++REQUEST_COUNT))\n echo \"Request Count: $REQUEST_COUNT\"\n jobs_spawned=$((jobs_spawned + 1))\n if (( jobs_spawned % BURST_SIZE == 0 )); then\n sleep $STABILIZATION_DELAY\n fi\n fi\n done\n\n # Push migration artifact if annotations are present\n if [[ \"$COPY_BUNDLE_MIGRATIONS\" == \"true\" ]] \u0026\u0026 [ -n \"$migration_digest\" ] \u0026\u0026 [ -n \"$migration_tag\" ]; then\n wait_for_slot\n push_migration_artifact \"${source_repo}\" \"${migration_digest}\" \"${name}\" \\\n \"${repository_url}\" \"${migration_tag}\" \"$SOURCE_AUTH_FILE\" \\\n \u003e \"$TMP_RESULTS_DIR/${name}-migration-${migration_tag}.out\" 2\u003e\u00261 \u0026\n ((++REQUEST_COUNT))\n echo \"Request Count: $REQUEST_COUNT (migration artifact)\"\n jobs_spawned=$((jobs_spawned + 1))\n if (( jobs_spawned % BURST_SIZE == 0 )); then\n sleep $STABILIZATION_DELAY\n fi\n fi\n done\ndone\n\necho \"Waiting for all jobs to complete....\"\n# Use counter to collect all exit codes in case processes finished during a burst sleep\nwhile (( jobs_collected \u003c jobs_spawned )); do\n wait -n || SUCCESS=false\n jobs_collected=$((jobs_collected + 1))\ndone\n\necho \"Printing outputs for each push image\"\nfor file in \"$TMP_RESULTS_DIR\"/*.out; do\n echo \"=== $(basename \"${file}\" .out) ===\"\n cat \"$file\"\n echo\ndone\n\nif [ \"$SUCCESS\" != true ]; then\n echo \"One or more jobs failed. Please check the logs above for details.\"\n exit 1\nfi\n\n# Create a temporary file for the pushes data to avoid command line argument length limits\nPUSHES_FILE=$(mktemp)\njq -s . \"$TMP_RESULTS_DIR\"/*.json \u003e \"$PUSHES_FILE\"\n\n# Use file input instead of command line arguments to avoid argument length limits\njq --slurpfile PUSHES \"$PUSHES_FILE\" '\n reduce $PUSHES[0][] as $p (.; (.images[] | select(.name == $p.name).urls) += [$p.url])\n' \"$RESULTS_JSON_FILE\" | tee \"$RESULTS_FILE\"\n\n# Clean up temporary files\nrm -f \"$RESULTS_JSON_FILE\" \"$RESULTS_JSON_FILE.tmp\" \"$PUSHES_FILE\"\n\nprintf 'Completed \"%s\" for \"%s\"\\n\\n' \"managed-gfn6w-push-snapshot\" \"$componentGroup\"\n" }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=66", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/f1064d4f-51c9-4d84-a26f-c35a1b37936b", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:44:20Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "reduce-snapshot", "tekton.dev/task": "reduce-snapshot" }, "name": "managed-gfn6w-reduce-snapshot", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "45713", "uid": "f1064d4f-51c9-4d84-a26f-c35a1b37936b" }, "spec": { "params": [ { "name": "SNAPSHOT", "value": "/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "value": "snapshot/tsf-demo-app-20260425-083437-000" }, { "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS", "value": "default-tenant" }, { "name": "SNAPSHOT_PATH", "value": "/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/reduce-snapshot/reduce-snapshot.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:42Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:42Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-reduce-snapshot-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/reduce-snapshot/reduce-snapshot.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:02e6cd4768090506f283e730df40aba39fe316a42157218ef0a78f341fb99bde" } ], "startTime": "2026-04-25T08:44:20Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://a47b42688b52bc3604e3c64736314910eea5dd96b6e1ab8f057c070c2433251c", "exitCode": 0, "finishedAt": "2026-04-25T08:44:39Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:38Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://7cb16a2c4c5fbd555948ec11c6725feb45f8ea75a876a45f02d4e5eb51ca20c2", "exitCode": 0, "finishedAt": "2026-04-25T08:44:41Z", "message": "[{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:02e6cd4768090506f283e730df40aba39fe316a42157218ef0a78f341fb99bde\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:40Z" }, "terminationReason": "Completed" }, { "container": "step-ensure-required-labels-present", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "ensure-required-labels-present", "terminated": { "containerID": "cri-o://98d36a15323fd9a02bdd5bcda85e374e80c867cd4820e6da8b1418cbe6c0c145", "exitCode": 0, "finishedAt": "2026-04-25T08:44:40Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:40Z" }, "terminationReason": "Completed" }, { "container": "step-reduce", "imageID": "quay.io/conforma/cli@sha256:0a6c6cea9b6db5bbc798cb4c2ff0269789e547a8e25410c947a123eb727dc399", "name": "reduce", "terminated": { "containerID": "cri-o://ec0e2793861024727dae92c37925432fc5522a1bc3a7fe0f44298737b503ca56", "exitCode": 0, "finishedAt": "2026-04-25T08:44:40Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:40Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to reduce a snapshot to a single component based on the component that the snapshot was built for.", "params": [ { "description": "String representation of Snapshot spec", "name": "SNAPSHOT", "type": "string" }, { "description": "Single mode component enabled", "name": "SINGLE_COMPONENT", "type": "string" }, { "description": "Custom Resource to query for built component in Snapshot", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "type": "string" }, { "default": "", "description": "Namespace where Custom Resource is found", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS", "type": "string" }, { "description": "The location to place the reduced Snapshot", "name": "SNAPSHOT_PATH", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "results": [ { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:5a40819d92d108beb1178a881e5372ac7bb8c4bf3ae6f8a37f3f36d4209790f2=/var/workdir/release" ], "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "10m", "memory": "128Mi" } }, "env": [ { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "CUSTOM_RESOURCE", "value": "snapshot/tsf-demo-app-20260425-083437-000" }, { "name": "CUSTOM_RESOURCE_NAMESPACE", "value": "default-tenant" } ], "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "ensure-required-labels-present", "script": "#!/usr/bin/env bash\nset -eu\n\nif [ \"${SINGLE_COMPONENT}\" != \"true\" ]; then\n echo \"Single component mode is not enabled, skipping label check\"\n exit 0\nfi\n\nCR_NAMESPACE_ARG=\nif [ \"${CUSTOM_RESOURCE_NAMESPACE}\" != \"\" ]; then\n CR_NAMESPACE_ARG=\"-n ${CUSTOM_RESOURCE_NAMESPACE}\"\nfi\n\nLABELS=$(kubectl get \"$CUSTOM_RESOURCE\" ${CR_NAMESPACE_ARG:+$CR_NAMESPACE_ARG} -ojson \\\n | jq -r '.metadata.labels')\nSNAPSHOT_CREATION_TYPE=$(jq -r '.\"test.appstudio.openshift.io/type\" // \"\"' \u003c\u003c\u003c \"${LABELS}\")\nSNAPSHOT_CREATION_COMPONENT=$(jq -r '.\"appstudio.openshift.io/component\" // \"\"' \u003c\u003c\u003c \"${LABELS}\")\n\necho \"SNAPSHOT_CREATION_TYPE: ${SNAPSHOT_CREATION_TYPE}\"\necho \"SNAPSHOT_CREATION_COMPONENT: ${SNAPSHOT_CREATION_COMPONENT}\"\nif [ \"${SNAPSHOT_CREATION_TYPE}\" != \"component\" ] || [ \"${SNAPSHOT_CREATION_COMPONENT}\" == \"\" ]; then\n echo \"Single component mode is enabled, but the snapshot is missing the required labels to use it.\"\n echo \"This is likely due to a manually created snapshot\"\n echo \"The test.appstudio.openshift.io/type label must exist with value component\"\n echo \"The appstudio.openshift.io/component label must also exist saying which component to use\"\n echo \"Failing the pipelineRun to prevent unexpected behavior in future tasks\"\n exit 1\nfi\n" }, { "command": [ "reduce-snapshot.sh" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "10m", "memory": "128Mi" } }, "env": [ { "name": "SNAPSHOT", "value": "/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "CUSTOM_RESOURCE", "value": "snapshot/tsf-demo-app-20260425-083437-000" }, { "name": "CUSTOM_RESOURCE_NAMESPACE", "value": "default-tenant" }, { "name": "SNAPSHOT_PATH", "value": "/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" } ], "image": "quay.io/conforma/cli@sha256:0a6c6cea9b6db5bbc798cb4c2ff0269789e547a8e25410c947a123eb727dc399", "name": "reduce", "onError": "continue" }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=77", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/ed46e7ef-a337-46f5-b49c-3a4b02e300d7", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:46:06Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "sign-image-cosign-keyless" }, "name": "managed-gfn6w-sign-image-cosign-keyless", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "47504", "uid": "ed46e7ef-a337-46f5-b49c-3a4b02e300d7" }, "spec": { "params": [ { "name": "snapshotPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "sourceDataArtifact", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:6ad3f682b24cb86ce3cb659e346b1b333452204818c5c744b9cd41af27b5dff3" }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" }, { "name": "keylessRekorURL", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "keylessFulcioURL", "value": "http://fulcio-server.tsf-tas.svc.cluster.local" }, { "name": "keylessOIDCIssuer", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "keylessTufURL", "value": "http://tuf.tsf-tas.svc.cluster.local" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/sign-image-cosign-keyless/sign-image-cosign-keyless.yaml" } ], "resolver": "git" }, "timeout": "6h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:46:54Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:46:54Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-sign-image-cosign-keyless-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/sign-image-cosign-keyless/sign-image-cosign-keyless.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "results": [ { "name": "sourceDataArtifact", "type": "string", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:33b49f63a6c001210a75cd9566714b471f61acf5d4dee59c639b91bc2ca802a2" } ], "startTime": "2026-04-25T08:46:06Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact/use-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://e853a6f69dfa372f98239e42b37de39ea44a6d3c0448b69afd4ba87a14abffde", "exitCode": 0, "finishedAt": "2026-04-25T08:46:15Z", "reason": "Completed", "startedAt": "2026-04-25T08:46:12Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://f7132a0930e7903823cdeb03c92df1d7c372bc8954e52840a244a814f402df18", "exitCode": 0, "finishedAt": "2026-04-25T08:46:53Z", "message": "[{\"key\":\"sourceDataArtifact\",\"value\":\"oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:33b49f63a6c001210a75cd9566714b471f61acf5d4dee59c639b91bc2ca802a2\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:46:51Z" }, "terminationReason": "Completed" }, { "container": "step-sign-image", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:3cb03b14ac9d90ff27070036ce2b50712e65aa285daeb28852254a745bb25dfc", "name": "sign-image", "terminated": { "containerID": "cri-o://917a72c79758facb84f69d1c60246609dfad44b07c686f419e1e03faf6fd26d2", "exitCode": 0, "finishedAt": "2026-04-25T08:46:51Z", "reason": "Completed", "startedAt": "2026-04-25T08:46:15Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to sign container images in snapshot by cosign in keyless mode", "params": [ { "description": "Path to the JSON string of the mapped Snapshot spec in the data workspace", "name": "snapshotPath", "type": "string" }, { "default": "3", "description": "Retry cosign N times", "name": "retries", "type": "string" }, { "default": "90", "description": "The maximum number of concurrent cosign signing jobs", "name": "concurrentLimit", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": "", "description": "Location of trusted artifacts to be used to populate data directory", "name": "sourceDataArtifact", "type": "string" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-hosted certificates", "name": "caCertPath", "type": "string" }, { "description": "OIDC issuer for keyless signing", "name": "keylessOIDCIssuer", "type": "string" }, { "description": "Fulcio URL for keyless signing", "name": "keylessFulcioURL", "type": "string" }, { "description": "rekor URL for keyless signing", "name": "keylessRekorURL", "type": "string" }, { "description": "TUF URL for keyless signing", "name": "keylessTufURL", "type": "string" } ], "results": [ { "description": "Produced trusted data artifact", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:6ad3f682b24cb86ce3cb659e346b1b333452204818c5c744b9cd41af27b5dff3=/var/workdir/release" ], "computeResources": { "limits": { "cpu": "30m", "memory": "64Mi" }, "requests": { "cpu": "30m", "memory": "64Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "2", "memory": "2560Mi" }, "requests": { "cpu": "2", "memory": "2560Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:3cb03b14ac9d90ff27070036ce2b50712e65aa285daeb28852254a745bb25dfc", "name": "sign-image", "script": "#!/usr/bin/env bash\nset -eu\n\nif [ -f \"/mnt/trusted-ca/ca-bundle.crt\" ]; then\n export SSL_CERT_FILE=\"/mnt/trusted-ca/ca-bundle.crt\"\nfi\n\nREKOR_URL=\"http://rekor-server.tsf-tas.svc.cluster.local\"\nFULCIO_URL=\"http://fulcio-server.tsf-tas.svc.cluster.local\"\nTUF_URL=\"http://tuf.tsf-tas.svc.cluster.local\"\n\nSIGSTORE_ID_TOKEN=/var/run/secrets/tokens/oidc-token\nexport SIGSTORE_ID_TOKEN\ncosign initialize --mirror=\"${TUF_URL}\" --root=\"${TUF_URL}/root.json\"\n\n# JWT payloads use base64url encoding (no padding, -/_ instead of +//).\n# Decode properly by translating characters and adding padding.\npayload=$(cut -d. -f2 \u003c \"$SIGSTORE_ID_TOKEN\" | tr '_-' '/+')\nmod=$(( ${#payload} % 4 ))\nif [ \"$mod\" -ne 0 ]; then\n payload+=$(printf '%*s' $((4 - mod)) '' | tr ' ' '=')\nfi\nSA_NAME=$(echo \"$payload\" | base64 -d | \\\n jq -r '.\"kubernetes.io\".serviceaccount.name')\nSA_NS=$(echo \"$payload\" | base64 -d | \\\n jq -r '.\"kubernetes.io\".namespace')\n\nexport CERTIFICATE_IDENTITY=\"https://kubernetes.io/namespaces/${SA_NS}/serviceaccounts/${SA_NAME}\"\n\nset -x\n\nSNAPSHOT_PATH=/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json\nCOMPONENTS_LENGTH=$(jq '.components |length' \"${SNAPSHOT_PATH}\")\n\n# Initialize memory throttling\n# This file is located at utils/memory-throttle.sh in the release-service-utils image\n# shellcheck source=/dev/null\nsource memory-throttle.sh\n# This function is stored in the utils/memory-throttle.sh file\nlog_memory_throttle_status 80\n\nRUNNING_JOBS=\"\\j\" # Bash parameter for number of jobs currently running\nBURST_SIZE=5\nSTABILIZATION_DELAY=2\n\njobpid(){\n pid=$(cut -d' ' -f4 \u003c /proc/self/stat)\n echo \"$pid\"\n}\nechopid(){\n pid=$(jobpid)\n echo \"${pid}: $*\"\n}\nrun_cosign () { # Expected arguments are [digest_reference, tag_reference]\n attempt=0\n backoff1=2\n backoff2=3\n until [ \"$attempt\" -gt \"3\" ] ; do # 3 retries by default\n cosign \"$@\" \u0026\u0026 break\n sleep $backoff2\n\n # Fibbonaci backoff\n old_backoff1=$backoff1\n backoff1=$backoff2\n backoff2=$((old_backoff1 + backoff2))\n attempt=$((attempt+1))\n done\n if [ \"$attempt\" -gt \"3\" ] ; then\n echopid \"Max retries exceeded.\"\n exit 1\n fi\n}\nfunction check_existing_signatures() {\n local identity=$1\n local reference=$2\n local digest=$3\n declare -a COSIGN_REKOR_ARGS=()\n COSIGN_REKOR_ARGS+=(\"--rekor-url=$REKOR_URL\")\n COSIGN_REKOR_ARGS+=(\"--certificate-identity=${CERTIFICATE_IDENTITY}\"\n \"--certificate-oidc-issuer=https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j\")\n verify_output=$(run_cosign verify \"${COSIGN_REKOR_ARGS[@]}\" \"$reference\")\n found_signatures=$(echo \"$verify_output\" | jq -j '['\\\n'.[]|select(.critical.image.\"docker-manifest-digest\"| contains(\"'\"$digest\"'\"))'\\\n'|select(.critical.identity.\"docker-reference\" == \"'\"$identity\"'\")'\\\n']|length')\n echo \"$found_signatures\"\n}\nfunction check_and_sign() {\n local identity=$1\n local reference=$2\n local digest=$3\n\n # cosign has very limited support for selecting the right auth entry,\n # so create a custom auth file with just one entry.\n DOCKER_CONFIG=\"$(mktemp -d)\"\n export DOCKER_CONFIG\n select-oci-auth \"${reference}\" \u003e \"${DOCKER_CONFIG}/config.json\"\n\n declare -a COSIGN_REKOR_ARGS=()\n found_signatures=$(check_existing_signatures \"$identity\" \"$reference@$digest\" \"$digest\")\n if [ -z \"$found_signatures\" ]; then\n found_signatures=0\n fi\n echopid \"FOUND SIGNATURES for ${identity} ${digest}: $found_signatures\"\n COSIGN_REKOR_ARGS+=(\"-y\" \"--rekor-url=$REKOR_URL\")\n\n if [ \"$found_signatures\" -eq 0 ]; then\n COSIGN_REKOR_ARGS+=(\"--identity-token\" \"$SIGSTORE_ID_TOKEN\")\n COSIGN_REKOR_ARGS+=(\"--fulcio-url\" \"$FULCIO_URL\")\n run_cosign -t 3m0s sign \"${COSIGN_REKOR_ARGS[@]}\" \\\n --sign-container-identity \"$identity\" \"$reference@$digest\"\n else\n echopid \"Skip signing ${identity} (${digest})\"\n fi\n}\n\ndeclare -a to_sign=()\nfor (( COMPONENTS_INDEX=0; COMPONENTS_INDEX\u003cCOMPONENTS_LENGTH; COMPONENTS_INDEX++ )); do\n COMPONENT_NAME=$(jq -r \".components[${COMPONENTS_INDEX}].name\" \"${SNAPSHOT_PATH}\")\n echo \"Processing component ${COMPONENT_NAME}\"\n\n COMPONENT=$(jq -c \".components[${COMPONENTS_INDEX}]\" \"${SNAPSHOT_PATH}\")\n\n # Check if image is manifest list\n BUILD_CONTAINER_IMAGE=$(jq -r \".components[${COMPONENTS_INDEX}].containerImage\" \"${SNAPSHOT_PATH}\")\n DIGEST=\"${BUILD_CONTAINER_IMAGE/*@}\"\n LIST=0\n MANIFEST_DIGESTS=\"\"\n\n # First, try to get imageDigests from the snapshot\n # (avoids calling skopeo on inaccessible registries, like IIB)\n IMAGE_DIGESTS=$(jq -c \".components[${COMPONENTS_INDEX}].imageDigests // []\" \"${SNAPSHOT_PATH}\")\n IMAGE_DIGESTS_LENGTH=$(jq 'length' \u003c\u003c\u003c \"$IMAGE_DIGESTS\")\n\n if [ \"$IMAGE_DIGESTS_LENGTH\" -gt 0 ]; then\n # imageDigests available - use them (IIB always produces multi-arch manifest lists)\n LIST=1\n MANIFEST_DIGESTS=$(jq -r '.[]' \u003c\u003c\u003c \"$IMAGE_DIGESTS\")\n else\n IMAGE=$(skopeo inspect --raw \"docker://${BUILD_CONTAINER_IMAGE}\")\n MEDIA_TYPE=$(echo \"$IMAGE\" | jq -r '.mediaType')\n if [ \"$MEDIA_TYPE\" = \"application/vnd.docker.distribution.manifest.list.v2+json\" ]; then LIST=1; fi\n if [ \"$MEDIA_TYPE\" = \"application/vnd.oci.image.index.v1+json\" ]; then LIST=1; fi\n if [ $LIST -eq 1 ]; then\n MANIFEST_DIGESTS=$(echo \"$IMAGE\" | jq -r '.manifests[]|.digest')\n fi\n fi\n\n # Process repositories array (apply-mapping guarantees this exists)\n NUM_REPOSITORIES=$(jq '.repositories | length' \u003c\u003c\u003c \"$COMPONENT\")\n for (( i = 0; i \u003c NUM_REPOSITORIES; i++ )); do\n REPOSITORY_OBJECT=$(jq -c \".repositories[${i}]\" \u003c\u003c\u003c \"$COMPONENT\")\n\n # Get repository URL and use it as INTERNAL_CONTAINER_REF\n INTERNAL_CONTAINER_REF=$(jq -r '.url' \u003c\u003c\u003c \"$REPOSITORY_OBJECT\")\n\n # Get tags from repository object\n REPO_TAGS=$(jq -r '.tags[]? // empty' \u003c\u003c\u003c \"$REPOSITORY_OBJECT\")\n if [ -z \"$REPO_TAGS\" ]; then\n echo \"No tags found for repository ${INTERNAL_CONTAINER_REF}, skipping signing\"\n continue\n fi\n\n REGISTRY_REFERENCES=(\"${INTERNAL_CONTAINER_REF}\")\n\n # Collect data for signing\n # Sign each manifest in the manifest list\n if [ $LIST -eq 1 ]; then\n for REGISTRY_REF in \"${REGISTRY_REFERENCES[@]}\"; do\n for MDIGEST in $MANIFEST_DIGESTS; do\n for TAG in $REPO_TAGS; do\n to_sign+=(\"${REGISTRY_REF}:${TAG}@${MDIGEST}#${INTERNAL_CONTAINER_REF}\")\n done\n done\n done\n fi\n # Sign manifest list itself or manifest if it's not list\n for REGISTRY_REF in \"${REGISTRY_REFERENCES[@]}\"; do\n for TAG in $REPO_TAGS; do\n to_sign+=(\"${REGISTRY_REF}:${TAG}@${DIGEST}#${INTERNAL_CONTAINER_REF}\")\n done\n done\n done\ndone\nspawn_count=0\nprintf '%s\\n' \"${to_sign[@]}\" | python3 -c \"\nimport sys\nfrom itertools import zip_longest\n\ndigest_groups = {}\n# Make groups based on reference + digest to avoid signing same digest in parallel\nfor line in sys.stdin:\n x = line.strip()\n if not x:\n continue\n rest, internal_ref = x.split('#', 1)\n rest, digest = rest.rsplit('@', 1)\n public_ref, tag = rest.rsplit(':', 1)\n digest_groups.setdefault(internal_ref + '@' + digest, []).append(\n (internal_ref, public_ref, digest, tag)\n )\n\nfor to_yield in zip_longest(*digest_groups.values()):\n for entry in filter(None, to_yield):\n print(' '.join(entry))\n print('---') # group separator\n\" | {\n SUCCESS=true\n while read -r ENTRY; do\n if [ \"$ENTRY\" = \"---\" ]; then\n echo \"... waiting for group to be signed ...\"\n # wait for group to finish\n while (( ${RUNNING_JOBS@P} \u003e 0 )); do\n wait -n || SUCCESS=false\n done\n spawn_count=0\n continue\n fi\n INTERNAL_REF=$(echo \"$ENTRY\" | cut -d' ' -f1)\n PUBLIC_REF=$(echo \"$ENTRY\" | cut -d' ' -f2)\n DIGEST=$(echo \"$ENTRY\" | cut -d' ' -f3)\n TAG=$(echo \"$ENTRY\" | cut -d' ' -f4)\n # This function is stored in the utils/memory-throttle.sh file\n # Wait for memory and concurrent limit\n wait_for_memory 80\n while (( ${RUNNING_JOBS@P} \u003e= 90 )); do\n wait -n || SUCCESS=false\n done\n check_and_sign \"${PUBLIC_REF}:${TAG}\" \"${INTERNAL_REF}\" \"${DIGEST}\" \u0026\n spawn_count=$((spawn_count + 1))\n\n # Allow memory usage to stabilize every BURST_SIZE spawns.\n if (( spawn_count % BURST_SIZE == 0 )); then\n sleep $STABILIZATION_DELAY\n fi\n done\n if [ \"$SUCCESS\" != true ]; then\n echo \"ERROR: One or more signing jobs failed\"\n exit 1\n fi\n}\n# Note: The pipe runs the while loop in a subshell, but every group ends with \"---\"\n# which waits for all jobs in that group, so no jobs remain when the subshell exits.\necho \"done\"\n", "volumeMounts": [ { "mountPath": "/var/run/secrets/tokens", "name": "oidc-token", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts", "/tekton/results/sourceDataArtifact=/var/workdir/release" ], "computeResources": { "limits": { "cpu": "250m", "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 3600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=74", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/15e8cf00-6f3c-49ba-b363-3872700b9846", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:46:31Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "update-cr-status" }, "name": "managed-gfn6w-update-cr-status", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "47344", "uid": "15e8cf00-6f3c-49ba-b363-3872700b9846" }, "spec": { "params": [ { "name": "resource", "value": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl" }, { "name": "resultsDirPath", "value": "2e8f5616-b364-4304-9c89-016c508710de/results" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts" }, { "name": "resultArtifacts", "value": [ "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:7343aa534558c5f991bde351eae26d1a484d6f9c5fc2852064c95a8c152ed7b6=/var/workdir/release" ] }, { "name": "dataDir", "value": "/var/workdir/release" }, { "name": "trustedArtifactsDebug", "value": "" }, { "name": "taskGitUrl", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "taskGitRevision", "value": "development" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/update-cr-status/update-cr-status.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:46:37Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:46:37Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-update-cr-status-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/update-cr-status/update-cr-status.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "startTime": "2026-04-25T08:46:31Z", "steps": [ { "container": "step-use-trusted-artifact-array", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "use-trusted-artifact-array", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/use-trusted-artifact-array/use-trusted-artifact-array.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "terminated": { "containerID": "cri-o://6f87af58f74f4eeaa71776b4ad708251f56e623947a6006ff7861f35e66fc816", "exitCode": 0, "finishedAt": "2026-04-25T08:46:36Z", "reason": "Completed", "startedAt": "2026-04-25T08:46:35Z" }, "terminationReason": "Completed" }, { "container": "step-update-cr-status", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "update-cr-status", "terminated": { "containerID": "cri-o://21ab78f682be81255429c17281c0fb0f42cb4c04e38bc300850915dfe9e14369", "exitCode": 0, "finishedAt": "2026-04-25T08:46:37Z", "reason": "Completed", "startedAt": "2026-04-25T08:46:36Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "A tekton task that updates the passed CR status with the contents stored in the files in the resultsDir.", "params": [ { "default": "release", "description": "The type of resource that is being patched", "name": "resourceType", "type": "string" }, { "default": "artifacts", "description": "The top level key to overwrite in the resource status", "name": "statusKey", "type": "string" }, { "description": "The namespaced name of the resource to be patched", "name": "resource", "type": "string" }, { "description": "Path to the directory containing the result files in the data workspace which will be added to the\nresource's status\n", "name": "resultsDirPath", "type": "string" }, { "default": "empty", "description": "The OCI repository where the Trusted Artifacts are stored", "name": "ociStorage", "type": "string" }, { "default": "1d", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire", "name": "ociArtifactExpiresAfter", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable", "name": "trustedArtifactsDebug", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "orasOptions", "type": "string" }, { "default": [], "description": "Array of artifacts to use to obtain results", "name": "resultArtifacts", "type": "array" }, { "default": "/var/workdir/release", "description": "The location where data will be stored", "name": "dataDir", "type": "string" }, { "description": "The url to the git repo where the release-service-catalog tasks and stepactions to be used are stored", "name": "taskGitUrl", "type": "string" }, { "description": "The revision in the taskGitUrl repo to be used", "name": "taskGitRevision", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "/mnt/trusted-ca/ca-bundle.crt", "description": "Path to CA certificate bundle for TLS verification with self-signed certificates", "name": "caCertPath", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "1d" }, { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:7343aa534558c5f991bde351eae26d1a484d6f9c5fc2852064c95a8c152ed7b6=/var/workdir/release" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "20m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact-array" }, { "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "50m", "memory": "128Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "update-cr-status", "script": "#!/usr/bin/env bash\nset -ex\n\nRESULTS_DIR=\"/var/workdir/release/2e8f5616-b364-4304-9c89-016c508710de/results\"\nTEMP_FILE=\"/tmp/temp.json\"\nRESULTS_JSON=\"/tmp/results.json\"\necho '{}' \u003e \"$RESULTS_JSON\"\n\nfor resultsFile in $([ -d \"$RESULTS_DIR\" ] \u0026\u0026 find \"$RESULTS_DIR\" -type f); do\n if ! jq . \u003e/dev/null 2\u003e\u00261 \"${resultsFile}\" ; then\n echo \"Passed results JSON file ${resultsFile} in results directory was not proper JSON.\"\n exit 1\n fi\n\n # Merge with array concatenation for array fields and object merging\n jq --slurpfile new \"${resultsFile}\" '\n # Store current values as $base and get all unique keys from both objects\n . as $base | ($base | keys + ($new[0] | keys)) | unique |\n # Process each key and build the merged result\n reduce .[] as $key ({}; . + {($key): (\n # Case 1: Both values are arrays - concatenate them\n if ($new[0][$key] | type == \"array\") and ($base[$key] | type == \"array\")\n then $base[$key] + $new[0][$key]\n else\n # Case 2: Both values are objects - merge them recursively\n if ($new[0][$key] | type == \"object\") and ($base[$key] | type == \"object\")\n then $base[$key] * $new[0][$key]\n # Case 3: Default - use new value or fall back to base value\n else $new[0][$key] // $base[$key]\n end\n end\n )})\n ' \"$RESULTS_JSON\" \u003e \"$TEMP_FILE\"\n mv \"$TEMP_FILE\" \"$RESULTS_JSON\"\ndone\n\n# Read the final JSON from the file\nFINAL_JSON=$(cat \"$RESULTS_JSON\")\n\nIFS='/' read -r namespace name \u003c\u003c\u003c \"default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl\"\n\n# Create patch file to avoid \"Argument list too long\" error\nPATCH_FILE=\"/tmp/patch-$(date +%s).json\"\necho \"status: {'artifacts':${FINAL_JSON}}\" \u003e \"$PATCH_FILE\"\n\nkubectl --warnings-as-errors=true patch \"release\" -n \"$namespace\" \"$name\" \\\n --type=merge --subresource status --patch-file \"$PATCH_FILE\"\n\n# Clean up\nrm -f \"$PATCH_FILE\"\n" } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=59", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/f0a746e6-49e9-4476-95d0-122c19caf1d7", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:43:51Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "verify-access-to-resources", "tekton.dev/task": "verify-access-to-resources" }, "name": "managed-gfn6w-verify-access-to-resources", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "44945", "uid": "f0a746e6-49e9-4476-95d0-122c19caf1d7" }, "spec": { "params": [ { "name": "release", "value": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl" }, { "name": "releasePlan", "value": "default-tenant/tsf-release" }, { "name": "releasePlanAdmission", "value": "default-managed-tenant-c009b/tsf-release" }, { "name": "releaseServiceConfig", "value": "release-service/release-service-config" }, { "name": "snapshot", "value": "default-tenant/tsf-demo-app-20260425-083437-000" }, { "name": "requireInternalServices", "value": "false" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/konflux-ci/release-service-catalog.git" }, { "name": "revision", "value": "development" }, { "name": "pathInRepo", "value": "tasks/managed/verify-access-to-resources/verify-access-to-resources.yaml" } ], "resolver": "git" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:07Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:07Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-verify-access-to-resources-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "tasks/managed/verify-access-to-resources/verify-access-to-resources.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog.git" } }, "startTime": "2026-04-25T08:43:52Z", "steps": [ { "container": "step-verify-access-to-resources", "imageID": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "verify-access-to-resources", "terminated": { "containerID": "cri-o://84fcbcc71c09829769e2ecc38e03480ce8d435951e8c2b1d1af08b398f530423", "exitCode": 0, "finishedAt": "2026-04-25T08:44:07Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:07Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This Tekton task is used to verify access to various resources in the pipelines. It ensures that the necessary\nresources, such as the release, release plan, release plan admission, release service config and snapshot,\nare available and accessible. Additionally, it checks if internal requests can be created if\n`requireInternalServices` is set to `true`.", "params": [ { "description": "Namespace/name of the Release", "name": "release", "type": "string" }, { "description": "Namespace/name of the ReleasePlan", "name": "releasePlan", "type": "string" }, { "description": "Namespace/name of the ReleasePlanAdmission", "name": "releasePlanAdmission", "type": "string" }, { "description": "Namespace/name of the ReleaseServiceConfig", "name": "releaseServiceConfig", "type": "string" }, { "description": "Namespace/name of the Snapshot", "name": "snapshot", "type": "string" }, { "default": "false", "description": "Whether internal services are required", "name": "requireInternalServices", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "stepTemplate": { "computeResources": {}, "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "computeResources": { "limits": { "memory": "100Mi" }, "requests": { "cpu": "10m", "memory": "100Mi" } }, "image": "quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3", "name": "verify-access-to-resources", "script": "#!/usr/bin/env bash\n\nORIGIN_NAMESPACE=\"$(cut -f1 -d/ \u003c\u003c\u003c \"default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl\")\"\nTARGET_NAMESPACE=\"$(cut -f1 -d/ \u003c\u003c\u003c \"default-managed-tenant-c009b/tsf-release\")\"\nRSC_NAMESPACE=\"$(cut -f1 -d/ \u003c\u003c\u003c \"release-service/release-service-config\")\"\n\nRELEASE_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl\")\"\nRELEASEPLAN_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"default-tenant/tsf-release\")\"\nRELEASEPLANADMISSION_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"default-managed-tenant-c009b/tsf-release\")\"\nRELEASESERVICECONFIG_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"release-service/release-service-config\")\"\nSNAPSHOT_NAME=\"$(cut -f2 -d/ \u003c\u003c\u003c \"default-tenant/tsf-demo-app-20260425-083437-000\")\"\n\nCAN_I_READ_RELEASES=\"$(kubectl auth can-i get release/\"${RELEASE_NAME}\" -n \"${ORIGIN_NAMESPACE}\")\"\nCAN_I_READ_RELEASEPLANS=\"$(kubectl auth can-i get releaseplan/\"${RELEASEPLAN_NAME}\"\\\n -n \"${ORIGIN_NAMESPACE}\")\"\nCAN_I_READ_RELEASEPLANADMISSIONS=\"$(kubectl auth can-i get\\\n releaseplanadmission/\"${RELEASEPLANADMISSION_NAME}\" -n \"${TARGET_NAMESPACE}\")\"\nCAN_I_READ_RELEASESERVICECONFIG=\"$(kubectl auth can-i get\\\n releaseserviceconfig/\"${RELEASESERVICECONFIG_NAME}\" -n \"${RSC_NAMESPACE}\")\"\nCAN_I_READ_SNAPSHOTS=\"$(kubectl auth can-i get snapshot/\"${SNAPSHOT_NAME}\" -n \"${ORIGIN_NAMESPACE}\")\"\n\nif [ \"false\" = \"true\" ]; then\n CAN_I_CREATE_INTERNALREQUESTS=\"$(kubectl auth can-i create internalrequest -n \"${TARGET_NAMESPACE}\")\"\nelse\n CAN_I_CREATE_INTERNALREQUESTS=\"skipped\"\nfi\n\necho \"\"\necho \"CAN_I_READ_RELEASES? ${CAN_I_READ_RELEASES}\"\necho \"CAN_I_READ_RELEASEPLANS? ${CAN_I_READ_RELEASEPLANS}\"\necho \"CAN_I_READ_RELEASEPLANADMISSIONS? ${CAN_I_READ_RELEASEPLANADMISSIONS}\"\necho \"CAN_I_READ_RELEASESERVICECONFIG? ${CAN_I_READ_RELEASESERVICECONFIG}\"\necho \"CAN_I_READ_SNAPSHOTS? ${CAN_I_READ_SNAPSHOTS}\"\necho \"\"\necho \"CAN_I_CREATE_INTERNALREQUESTS? ${CAN_I_CREATE_INTERNALREQUESTS}\"\necho \"\"\n\nif [ \"${CAN_I_READ_RELEASES}\" = \"no\" ] ||\\\n [ \"${CAN_I_READ_RELEASEPLANS}\" = \"no\" ] ||\\\n [ \"${CAN_I_READ_RELEASEPLANADMISSIONS}\" = \"no\" ] ||\\\n [ \"${CAN_I_READ_RELEASESERVICECONFIG}\" = \"no\" ] ||\\\n [ \"${CAN_I_READ_SNAPSHOTS}\" = \"no\" ] ||\\\n [ \"${CAN_I_CREATE_INTERNALREQUESTS}\" = \"no\" ] ; then\n echo \"Error: Cannot read or create required Release resources!\"\n echo \"\"\n echo \"This indicates that your workspace is not correctly setup\"\n echo \"Please reach out to a workspace administrator\"\n exit 1\nfi\n\necho \"Access to Release resources verified\"\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=70", "operator-sdk/primary-resource": "default-tenant/tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "operator-sdk/primary-resource-type": "Release.appstudio.redhat.com", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de/records/a5d01375-7fa0-494f-88be-5cd983ca54a3", "results.tekton.dev/result": "default-managed-tenant-c009b/results/2e8f5616-b364-4304-9c89-016c508710de", "results.tekton.dev/stored": "true", "tekton.dev/displayName": "Verify Conforma in Konflux", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "release" }, "creationTimestamp": "2026-04-25T08:45:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/service": "release", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "pipelines.appstudio.openshift.io/type": "managed", "release.appstudio.openshift.io/name": "tsf-demo-app-20260425-083437-000-d8a3550-f85bl", "release.appstudio.openshift.io/namespace": "default-tenant", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "push-to-external-registry", "tekton.dev/pipelineRun": "managed-gfn6w", "tekton.dev/pipelineRunUID": "2e8f5616-b364-4304-9c89-016c508710de", "tekton.dev/pipelineTask": "verify-conforma", "tekton.dev/task": "verify-conforma-konflux-ta" }, "name": "managed-gfn6w-verify-conforma", "namespace": "default-managed-tenant-c009b", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "managed-gfn6w", "uid": "2e8f5616-b364-4304-9c89-016c508710de" } ], "resourceVersion": "46487", "uid": "a5d01375-7fa0-494f-88be-5cd983ca54a3" }, "spec": { "params": [ { "name": "SNAPSHOT_FILENAME", "value": "2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "SSL_CERT_DIR", "value": "/var/run/secrets/kubernetes.io/serviceaccount" }, { "name": "POLICY_CONFIGURATION", "value": "{\"name\":\"Default\",\"description\":\"Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.\",\"sources\":[{\"name\":\"Default\",\"policy\":[\"oci::quay.io/conforma/release-policy:konflux@sha256:1b296a925b4021f4b4959ea289596925a8735540e554f3ba7754a651731a216f\"],\"data\":[\"github.com/konflux-ci/konflux-operator-trusted-sources//data?ref=95b1ba6bd85fa2117c544f4adb446f9b74a870e3\",\"github.com/redhat-appstudio/tsf-conforma-data//data?ref=1966f21842d507441a7a5e1c7de9071cf3f9ec53\"],\"config\":{\"exclude\":[\"hermetic_task\",\"source_image\",\"rpm_repos\"],\"include\":[\"@redhat\"]}}],\"publicKey\":\"k8s://openshift-pipelines/public-key\"}" }, { "name": "STRICT", "value": "true" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "EXTRA_RULE_DATA", "value": "pipeline_intention=release" }, { "name": "WORKERS", "value": "4" }, { "name": "SOURCE_DATA_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:c2d14dcdbd825f47250880dfdc6cdaae015b7c37833223581b07cb1794712e6b" }, { "name": "TRUSTED_ARTIFACTS_DEBUG", "value": "" }, { "name": "CERTIFICATE_IDENTITY", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "CERTIFICATE_OIDC_ISSUER", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "TUF_MIRROR", "value": "http://tuf.tsf-tas.svc.cluster.local" }, { "name": "REKOR_HOST", "value": "http://rekor-server.tsf-tas.svc.cluster.local" } ], "serviceAccountName": "release-pipeline", "taskRef": { "params": [ { "name": "url", "value": "https://github.com/conforma/cli" }, { "name": "revision", "value": "b1ede77ff694522a917dea2b4bde14b2cc1839f2" }, { "name": "pathInRepo", "value": "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml" } ], "resolver": "git" }, "timeout": "4h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:45:40Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:45:40Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "managed-gfn6w-verify-conforma-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha1": "b1ede77ff694522a917dea2b4bde14b2cc1839f2" }, "entryPoint": "tasks/verify-conforma-konflux-ta/0.1/verify-conforma-konflux-ta.yaml", "uri": "git+https://github.com/conforma/cli" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777106737\",\"namespace\":\"\",\"successes\":128,\"failures\":0,\"warnings\":4,\"result\":\"WARNING\"}\n" }, { "name": "VSA_GENERATED", "type": "string", "value": "false" } ], "startTime": "2026-04-25T08:45:07Z", "steps": [ { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:1b8ca9fd2e9112a113c8a594dcf675b799ba26c20c685c0334300f60c268fdfa", "name": "create-trusted-artifact", "provenance": { "refSource": { "digest": { "sha1": "48a31f6910278fccd79a551bac7174fb734dad3b" }, "entryPoint": "stepactions/create-trusted-artifact/create-trusted-artifact.yaml", "uri": "git+https://github.com/konflux-ci/release-service-catalog" } }, "terminated": { "containerID": "cri-o://823a662a89e62a4e4d441daaeb39fb8913b3e4228e69b087aeb5f6a6ae172a89", "exitCode": 0, "finishedAt": "2026-04-25T08:45:39Z", "reason": "Completed", "startedAt": "2026-04-25T08:45:39Z" }, "terminationReason": "Skipped" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/redhat-appstudio/build-trusted-artifacts@sha256:3732f40fc8a6148eec58400421f7b15076c5db8be5243ec43d99a227023df577", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://6df050aa3086978ed86aead5820aaad46f6aad31146fbed2bebc5d7182b233ec", "exitCode": 0, "finishedAt": "2026-04-25T08:45:25Z", "reason": "Completed", "startedAt": "2026-04-25T08:45:25Z" }, "terminationReason": "Completed" }, { "container": "step-initialize-tuf", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "initialize-tuf", "terminated": { "containerID": "cri-o://3fb92b25e3498327454c73549f620973b0c7e648c4e4f267884a617dbcfe5708", "exitCode": 0, "finishedAt": "2026-04-25T08:45:25Z", "reason": "Completed", "startedAt": "2026-04-25T08:45:25Z" }, "terminationReason": "Completed" }, { "container": "step-reduce", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "reduce", "terminated": { "containerID": "cri-o://736ff4bff1e0a691075bc36415c41114a9114cafe0a2576be99eca44cd47ed48", "exitCode": 0, "finishedAt": "2026-04-25T08:45:25Z", "reason": "Completed", "startedAt": "2026-04-25T08:45:25Z" }, "terminationReason": "Completed" }, { "container": "step-validate", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "validate", "terminated": { "containerID": "cri-o://05083bacdc472c9f0028a5d4babd9482459a6dfbc92a81f7af2bb457949ece54", "exitCode": 0, "finishedAt": "2026-04-25T08:45:37Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106737\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:26Z" }, "terminationReason": "Completed" }, { "container": "step-report-json", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "report-json", "terminated": { "containerID": "cri-o://c8f7a45a3e6a3b5dac7a34b8d94cd47b641a73dbe6517035bdb9f73ad17d2cd4", "exitCode": 0, "finishedAt": "2026-04-25T08:45:37Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106737\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:37Z" }, "terminationReason": "Completed" }, { "container": "step-summary", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "summary", "terminated": { "containerID": "cri-o://2f364e745208a815135c6639e96e977c4613002f1ce9b7a8faf824d3b24c898e", "exitCode": 0, "finishedAt": "2026-04-25T08:45:38Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106737\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:38Z" }, "terminationReason": "Completed" }, { "container": "step-version", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "version", "terminated": { "containerID": "cri-o://a1dc9654a115dfec87a26c4dc9eabea783db12e8eed937232ce539fa905172ea", "exitCode": 0, "finishedAt": "2026-04-25T08:45:38Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106737\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:38Z" }, "terminationReason": "Completed" }, { "container": "step-show-config", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "show-config", "terminated": { "containerID": "cri-o://0800b96ffe87a52993bb9eda07e7ecb0309089e9d66f07fc3c3422f050364f97", "exitCode": 0, "finishedAt": "2026-04-25T08:45:38Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106737\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:38Z" }, "terminationReason": "Completed" }, { "container": "step-detailed-report", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "detailed-report", "terminated": { "containerID": "cri-o://993ae978c9aae793251bb17cde6715646291efe4ca5589e00cb2be0a1866aa1d", "exitCode": 0, "finishedAt": "2026-04-25T08:45:39Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106737\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:39Z" }, "terminationReason": "Completed" }, { "container": "step-assert", "imageID": "quay.io/conforma/cli@sha256:35e590c9449b08d86296742462a56de75995b0cc0b884deb95e88c1374697308", "name": "assert", "terminated": { "containerID": "cri-o://9542ae57cfa9da26e3b0e0da56e2e468a82a168bd7da55e8b305ff2bc050bdf7", "exitCode": 0, "finishedAt": "2026-04-25T08:45:39Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106737\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1},{\"key\":\"VSA_GENERATED\",\"value\":\"false\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:45:39Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Verify the enterprise contract is met", "params": [ { "description": "The filename of the `Snapshot` that is located within the trusted artifact\n", "name": "SNAPSHOT_FILENAME", "type": "string" }, { "description": "Trusted Artifact to use to obtain the Snapshot to validate.\n", "name": "SOURCE_DATA_ARTIFACT", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "", "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.", "name": "PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Rekor host for transparency log lookups", "name": "REKOR_HOST", "type": "string" }, { "default": "", "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_IDENTITY", "type": "string" }, { "default": "", "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_OIDC_ISSUER", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.", "name": "CERTIFICATE_IDENTITY_REGEXP", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.", "name": "CERTIFICATE_OIDC_ISSUER_REGEXP", "type": "string" }, { "default": "false", "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.", "name": "IGNORE_REKOR", "type": "string" }, { "default": "", "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.", "name": "TUF_MIRROR", "type": "string" }, { "default": "", "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n", "name": "SSL_CERT_DIR", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIGMAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "true", "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.", "name": "INFO", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" }, { "default": "/tekton/home", "description": "Value for the HOME environment variable.", "name": "HOMEDIR", "type": "string" }, { "default": "now", "description": "Run policy checks with the provided time.", "name": "EFFECTIVE_TIME", "type": "string" }, { "default": "", "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"", "name": "EXTRA_RULE_DATA", "type": "string" }, { "default": "4", "description": "Number of parallel workers to use for policy evaluation.\n", "name": "WORKERS", "type": "string" }, { "default": "false", "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created", "name": "SINGLE_COMPONENT", "type": "string" }, { "default": "unknown", "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "type": "string" }, { "default": "", "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS", "type": "string" }, { "default": "", "description": "oras options to pass to Trusted Artifacts calls", "name": "ORAS_OPTIONS", "type": "string" }, { "default": "", "description": "Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable.", "name": "TRUSTED_ARTIFACTS_DEBUG", "type": "string" }, { "default": "/var/workdir/conforma", "description": "Directory to use to extract trusted artifact archive.", "name": "TRUSTED_ARTIFACTS_EXTRACT_DIR", "type": "string" }, { "default": "1s", "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")", "name": "RETRY_DURATION", "type": "string" }, { "default": "2.0", "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")", "name": "RETRY_FACTOR", "type": "string" }, { "default": "0.1", "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")", "name": "RETRY_JITTER", "type": "string" }, { "default": "3", "description": "Maximum number of retry attempts", "name": "RETRY_MAX_RETRY", "type": "string" }, { "default": "3s", "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")", "name": "RETRY_MAX_WAIT", "type": "string" }, { "default": "false", "description": "Enable VSA generation", "name": "ENABLE_VSA", "type": "string" }, { "default": "dsse", "description": "Attestation format: dsse (signed envelope) or predicate (raw JSON)", "name": "ATTESTATION_FORMAT", "type": "string" }, { "default": "", "description": "Signing key for format=dsse (k8s:// or file:// URL)", "name": "VSA_SIGNING_KEY", "type": "string" }, { "default": "local@/var/workdir/conforma/vsa", "description": "VSA upload destination", "name": "VSA_UPLOAD", "type": "string" }, { "default": "", "description": "OCI storage URL for trusted artifacts", "name": "ociStorage", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Whether VSAs were generated (true/false)", "name": "VSA_GENERATED", "type": "string" }, { "description": "Trusted Artifact URI containing VSA files", "name": "sourceDataArtifact", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "ORAS_OPTIONS" }, { "name": "DEBUG" }, { "name": "HOME", "value": "/tekton/home" } ], "securityContext": { "runAsUser": 1001 }, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/etc/ssl/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-managed-tenant-c009b/default-managed-tenant-c009b-a0d27a/trusted-artifacts@sha256:c2d14dcdbd825f47250880dfdc6cdaae015b7c37833223581b07cb1794712e6b=/var/workdir/conforma" ], "computeResources": {}, "image": "quay.io/redhat-appstudio/build-trusted-artifacts:e02102ede09aa07187cba066ad547a54724e5cf4", "name": "use-trusted-artifact" }, { "computeResources": {}, "env": [ { "name": "TUF_MIRROR", "value": "http://tuf.tsf-tas.svc.cluster.local" } ], "image": "quay.io/conforma/cli:latest", "name": "initialize-tuf", "script": "set -euo pipefail\n\nif [[ -z \"${TUF_MIRROR:-}\" ]]; then\n echo 'TUF_MIRROR parameter not provided. Skipping TUF root initialization.'\n exit\nfi\n\necho 'Initializing TUF root...'\nec sigstore initialize --mirror \"${TUF_MIRROR}\" --root \"${TUF_MIRROR}/root.json\"\necho 'Done!'" }, { "command": [ "reduce-snapshot.sh" ], "computeResources": {}, "env": [ { "name": "SNAPSHOT", "value": "/var/workdir/conforma/2e8f5616-b364-4304-9c89-016c508710de/snapshot_spec.json" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "CUSTOM_RESOURCE", "value": "unknown" }, { "name": "CUSTOM_RESOURCE_NAMESPACE" }, { "name": "SNAPSHOT_PATH", "value": "/tekton/home/snapshot.json" } ], "image": "quay.io/conforma/cli:latest", "name": "reduce", "onError": "continue" }, { "computeResources": { "limits": { "memory": "2Gi" }, "requests": { "cpu": "250m", "memory": "2Gi" } }, "env": [ { "name": "POLICY_CONFIGURATION", "value": "{\"name\":\"Default\",\"description\":\"Includes most of the rules and policies required internally by Red Hat when building Red Hat products. It excludes the requirement of hermetic builds. Available collections are defined in https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/release_policy.html#_available_rule_collections. If a different policy configuration is desired, this resource can serve as a starting point. See the docs on how to include and exclude rules https://redhat-appstudio.github.io/docs.stonesoup.io/ec-policies/policy_configuration.html#_including_and_excluding_rules.\",\"sources\":[{\"name\":\"Default\",\"policy\":[\"oci::quay.io/conforma/release-policy:konflux@sha256:1b296a925b4021f4b4959ea289596925a8735540e554f3ba7754a651731a216f\"],\"data\":[\"github.com/konflux-ci/konflux-operator-trusted-sources//data?ref=95b1ba6bd85fa2117c544f4adb446f9b74a870e3\",\"github.com/redhat-appstudio/tsf-conforma-data//data?ref=1966f21842d507441a7a5e1c7de9071cf3f9ec53\"],\"config\":{\"exclude\":[\"hermetic_task\",\"source_image\",\"rpm_repos\"],\"include\":[\"@redhat\"]}}],\"publicKey\":\"k8s://openshift-pipelines/public-key\"}" }, { "name": "PUBLIC_KEY" }, { "name": "CERTIFICATE_IDENTITY", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "CERTIFICATE_OIDC_ISSUER", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "CERTIFICATE_IDENTITY_REGEXP" }, { "name": "CERTIFICATE_OIDC_ISSUER_REGEXP" }, { "name": "REKOR_HOST", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "WORKERS", "value": "4" }, { "name": "INFO", "value": "true" }, { "name": "EFFECTIVE_TIME", "value": "now" }, { "name": "EXTRA_RULE_DATA", "value": "pipeline_intention=release" }, { "name": "RETRY_MAX_WAIT", "value": "3s" }, { "name": "RETRY_MAX_RETRY", "value": "3" }, { "name": "RETRY_DURATION", "value": "1s" }, { "name": "RETRY_FACTOR", "value": "2.0" }, { "name": "RETRY_JITTER", "value": "0.1" }, { "name": "ENABLE_VSA", "value": "false" }, { "name": "ATTESTATION_FORMAT", "value": "dsse" }, { "name": "VSA_SIGNING_KEY" }, { "name": "VSA_UPLOAD", "value": "local@/var/workdir/conforma/vsa" }, { "name": "HOMEDIR", "value": "/tekton/home" }, { "name": "SSL_CERT_DIR", "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:/var/run/secrets/kubernetes.io/serviceaccount" } ], "image": "quay.io/conforma/cli:latest", "name": "validate", "onError": "continue", "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n validate\n image\n --images=\"${HOMEDIR}/snapshot.json\"\n --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n # If *any* of the above are non-empty assume the intention is to\n # try keyless verification\n\n if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n cmd_args+=(\n --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n )\n elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n )\n fi\n\n if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n )\n elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n )\n fi\n\n # Force --ignore-rekor to false since we need rekor\n cmd_args+=(\n --ignore-rekor=false\n )\nelse\n # Assume traditional signing secret verification\n cmd_args+=(\n --public-key=\"${PUBLIC_KEY}\"\n --ignore-rekor=\"${IGNORE_REKOR}\"\n )\nfi\n\ncmd_args+=(\n --rekor-url=\"${REKOR_HOST}\"\n --workers=\"${WORKERS}\"\n --info=\"${INFO}\"\n --timeout=0\n --strict=false\n --show-successes=true\n --show-policy-docs-link=true\n --effective-time=\"${EFFECTIVE_TIME}\"\n --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n --retry-duration=\"${RETRY_DURATION}\"\n --retry-factor=\"${RETRY_FACTOR}\"\n --retry-jitter=\"${RETRY_JITTER}\"\n --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n --output=\"json=${HOMEDIR}/report-json.json\"\n --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n# Add VSA arguments if enabled\nif [[ \"${ENABLE_VSA}\" == \"true\" ]]; then\n cmd_args+=(\n --vsa=\"true\"\n --attestation-format=\"${ATTESTATION_FORMAT}\"\n )\n\n\n if [[ \"${ATTESTATION_FORMAT}\" == \"dsse\" ]]; then\n if [[ -z \"${VSA_SIGNING_KEY}\" ]]; then\n echo \"ERROR: VSA_SIGNING_KEY required for format=dsse\" \u003e\u00262\n exit 1\n fi\n cmd_args+=(\n --vsa-signing-key=\"${VSA_SIGNING_KEY}\"\n --vsa-upload=\"${VSA_UPLOAD}\"\n )\n fi\n\n # ec requires --attestation-output-dir to be under /tmp or cwd.\n # Write there first, then copy to the workdir so\n # create-trusted-artifact includes them in the archive.\n VSA_TMP_DIR=\"/tmp/vsa-output\"\n mkdir -p \"$VSA_TMP_DIR\"\n cmd_args+=(\n --attestation-output-dir=\"$VSA_TMP_DIR\"\n )\n\n echo -n \"true\" \u003e /tekton/results/VSA_GENERATED\nelse\n echo -n \"false\" \u003e /tekton/results/VSA_GENERATED\nfi\n\n# Execute Conforma with constructed arguments\nec \"${cmd_args[@]}\"\n\n# Copy VSA output from /tmp to workdir for trusted artifact archival\nif [[ \"${ENABLE_VSA}\" == \"true\" ]]; then\n # Extract local path from VSA_UPLOAD for output directory\n # VSA_UPLOAD format is \"local@/path/to/dir\"\n # Fixme: Because of -o pipefail this will fail the whole task when the grep doesn't match\n VSA_LOCAL_PATH=$(echo \"${VSA_UPLOAD}\" | grep -oE '^local@[^ ]+' | sed 's/^local@//' | head -n1 || true)\n if [[ -n \"$VSA_LOCAL_PATH\" \u0026\u0026 -d \"/tmp/vsa-output\" ]]; then\n mkdir -p \"$VSA_LOCAL_PATH\"\n cp -r /tmp/vsa-output/* \"$VSA_LOCAL_PATH\"/ 2\u003e/dev/null || true\n # Include raw JSON report for downstream SLSA VSA generation\n cp \"${HOMEDIR}/report-json.json\" \"$VSA_LOCAL_PATH\"/ 2\u003e/dev/null || true\n fi\nfi\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'" ], "command": [ "sh", "-c" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "report-json", "onError": "continue" }, { "args": [ ".", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "summary", "onError": "continue" }, { "args": [ "version" ], "command": [ "ec" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "version" }, { "args": [ "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}", "/tekton/home/report-json.json" ], "command": [ "jq" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "show-config" }, { "args": [ "/tekton/home/text-report.txt" ], "command": [ "cat" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "detailed-report", "onError": "continue" }, { "args": [ "--argjson", "strict", "true", "-e", ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": {}, "image": "quay.io/conforma/cli:latest", "name": "assert" }, { "args": [ "create", "--store", "", "/tekton/results/sourceDataArtifact=/var/workdir/conforma" ], "computeResources": { "limits": { "memory": "128Mi" }, "requests": { "cpu": "250m", "memory": "128Mi" } }, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "ORAS_OPTIONS" }, { "name": "CA_FILE", "value": "/mnt/trusted-ca/ca-bundle.crt" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "create-trusted-artifact", "when": [ { "input": "false", "operator": "in", "values": [ "true" ] }, { "operator": "notin", "values": [ "", "empty" ] } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=81", "pac.test.appstudio.openshift.io/branch": "base-vbzktl", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998372575", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-wjhlte", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/my-integration-test-pscf-dxntr", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-vbzktl", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2b64b758-3bc5-4dce-a4ba-2556456180a3/records/6608f105-f8e9-4630-9317-5ce9cdf99452", "results.tekton.dev/result": "default-tenant/results/2b64b758-3bc5-4dce-a4ba-2556456180a3", "results.tekton.dev/stored": "true", "tekton.dev/displayName": "Collect Keyless Signing Parameters", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "ec, keyless, signing, configuration", "test.appstudio.openshift.io/added-to-global-candidate-list": "{\"result\":true,\"reason\":\"Success\",\"lastupdatedtime\":\"2026-04-25T08:47:01Z\"}", "test.appstudio.openshift.io/integration-workflow": "push", "test.appstudio.openshift.io/pipelinerunstarttime": "1777106360000", "test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "test.appstudio.openshift.io/status": "[{\"scenario\":\"my-integration-test-pscf\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-04-25T08:47:02.059984407Z\",\"details\":\"Pending\"}]" }, "creationTimestamp": "2026-04-25T08:47:03Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083920-000", "build.appstudio.redhat.com/pipeline": "enterprise-contract", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998372575", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipelines.appstudio.openshift.io/type": "test", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "enterprise-contract", "tekton.dev/pipelineRun": "my-integration-test-pscf-dxntr", "tekton.dev/pipelineRunUID": "2b64b758-3bc5-4dce-a4ba-2556456180a3", "tekton.dev/pipelineTask": "collect-keyless-params", "tekton.dev/task": "collect-keyless-params", "test.appstudio.openshift.io/optional": "false", "test.appstudio.openshift.io/pipelinerunfinishtime": "1777106819", "test.appstudio.openshift.io/scenario": "my-integration-test-pscf", "test.appstudio.openshift.io/type": "component" }, "name": "my-integration-test-pscf-dxntr-collect-keyless-params", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "my-integration-test-pscf-dxntr", "uid": "2b64b758-3bc5-4dce-a4ba-2556456180a3" } ], "resourceVersion": "47882", "uid": "6608f105-f8e9-4630-9317-5ce9cdf99452" }, "spec": { "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "bundle", "value": "quay.io/conforma/tekton-task:konflux" }, { "name": "name", "value": "collect-keyless-params" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:47:10Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:47:10Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "my-integration-test-pscf-dxntr-collect-keyless-params-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ce81caef343582bd5e20b51fb965f6bde405277f977d8e4e7652ea23e63da837" }, "entryPoint": "collect-keyless-params", "uri": "quay.io/conforma/tekton-task" } }, "results": [ { "name": "buildIdentityRegexp", "type": "string", "value": "^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$" }, { "name": "defaultOIDCIssuer", "type": "string", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "fulcioUrl", "type": "string", "value": "http://fulcio-server.tsf-tas.svc.cluster.local" }, { "name": "keylessSigningEnabled", "type": "string", "value": "true" }, { "name": "rekorUrl", "type": "string", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "tektonChainsIdentity", "type": "string", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "tufUrl", "type": "string", "value": "http://tuf.tsf-tas.svc.cluster.local" } ], "startTime": "2026-04-25T08:47:03Z", "steps": [ { "container": "step-collect-signing-params", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "collect-signing-params", "terminated": { "containerID": "cri-o://7f34b59e933aeccf9491965befb046bca278c099e9d7a97a47287e855228137c", "exitCode": 0, "finishedAt": "2026-04-25T08:47:09Z", "message": "[{\"key\":\"buildIdentityRegexp\",\"value\":\"^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$\",\"type\":1},{\"key\":\"defaultOIDCIssuer\",\"value\":\"https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j\",\"type\":1},{\"key\":\"fulcioUrl\",\"value\":\"http://fulcio-server.tsf-tas.svc.cluster.local\",\"type\":1},{\"key\":\"keylessSigningEnabled\",\"value\":\"true\",\"type\":1},{\"key\":\"rekorUrl\",\"value\":\"http://rekor-server.tsf-tas.svc.cluster.local\",\"type\":1},{\"key\":\"tektonChainsIdentity\",\"value\":\"https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller\",\"type\":1},{\"key\":\"tufUrl\",\"value\":\"http://tuf.tsf-tas.svc.cluster.local\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:47:07Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to collect Konflux configuration parameters related to\nkeyless signing using cosign. The task attempts to read the \"cluster-config\"\nConfigMap in the \"konflux-info\" namespace to extract signing parameters.\n\nIn case the ConfigMap is not found, the task will output empty strings for all parameters,\nallowing the pipeline to continue without signing parameters.\n", "params": [ { "default": "cluster-config", "description": "The name of the ConfigMap to read signing parameters from", "name": "configMapName", "type": "string" }, { "default": "konflux-info", "description": "The namespace where the ConfigMap is located", "name": "configMapNamespace", "type": "string" } ], "results": [ { "description": "A flag indicating whether keyless signing is enabled based on the presence of signing parameters.\n", "name": "keylessSigningEnabled", "type": "string" }, { "description": "A default OIDC issuer URL to be used for signing.\n", "name": "defaultOIDCIssuer", "type": "string" }, { "description": "A regular expression to extract build identity from the OIDC token claims, if applicable.\n", "name": "buildIdentityRegexp", "type": "string" }, { "description": "The Tekton Chains identity from the OIDC token claims, if applicable.\n", "name": "tektonChainsIdentity", "type": "string" }, { "description": "The URL of the Fulcio certificate authority.\n", "name": "fulcioUrl", "type": "string" }, { "description": "The URL of the Rekor transparency log.\n", "name": "rekorUrl", "type": "string" }, { "description": "The URL of the TUF repository.\n", "name": "tufUrl", "type": "string" } ], "stepTemplate": { "computeResources": {}, "securityContext": { "runAsUser": 1001 } }, "steps": [ { "computeResources": { "limits": { "cpu": "50m", "memory": "128Mi" }, "requests": { "cpu": "50m", "memory": "128Mi" } }, "env": [ { "name": "configMapNamespace", "value": "konflux-info" }, { "name": "configMapName", "value": "cluster-config" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "collect-signing-params", "script": "#!/bin/bash\nset -euo pipefail\n\n# Default value is \"false\"\nkeylessSigningEnabled=\"false\"\n\n# Default values are empty strings\ndefaultOIDCIssuer=\"\"\nbuildIdentityRegexp=\"\"\ntektonChainsIdentity=\"\"\nfulcioUrl=\"\"\nrekorUrl=\"\"\ntufUrl=\"\"\n\n# Read from the ConfigMap\necho \"Reading ConfigMap ${configMapNamespace}/${configMapName}\"\nKFLX_CONFIG_PATH='/tmp/cluster-config.json'\n\nif kubectl get configmap \"${configMapName}\" -n \"${configMapNamespace}\" -o json --ignore-not-found \u003e \"${KFLX_CONFIG_PATH}\"; then\n if [ -s \"${KFLX_CONFIG_PATH}\" ]; then\n echo \"ConfigMap found, extracting keyless signing parameters\"\n\n # First we read \"keylessSigningEnabled\"\n keylessSigningEnabled=$(jq -r '.data.enableKeylessSigning // \"false\"' \"$KFLX_CONFIG_PATH\")\n\n if [ \"$keylessSigningEnabled\" = \"true\" ]; then\n # If that is set to \"true\" then read the other values\n defaultOIDCIssuer=$(jq -r '.data.defaultOIDCIssuer // \"\"' \"$KFLX_CONFIG_PATH\")\n buildIdentityRegexp=$(jq -r '.data.buildIdentityRegexp // \"\"' \"$KFLX_CONFIG_PATH\")\n tektonChainsIdentity=$(jq -r '.data.tektonChainsIdentity // \"\"' \"$KFLX_CONFIG_PATH\")\n\n # For each of these we prefer the internal url if its present\n fulcioUrl=$(jq -r '.data.fulcioInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$fulcioUrl\" ]; then\n fulcioUrl=$(jq -r '.data.fulcioExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n rekorUrl=$(jq -r '.data.rekorInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$rekorUrl\" ]; then\n rekorUrl=$(jq -r '.data.rekorExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n tufUrl=$(jq -r '.data.tufInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$tufUrl\" ]; then\n tufUrl=$(jq -r '.data.tufExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n else\n # Otherwise we ignore the rest of the ConfigMap\n echo \"enableKeylessSigning is not set, using default empty values\"\n\n fi\n else\n # Because we used --ignore-not-found this doesn't produce an error\n echo \"ConfigMap not found, using default empty values\"\n\n fi\n\nelse\n # Some error other than \"not found\"\n # (Stderr from kubectl should be visible in the task log.)\n echo \"Problem reading ConfigMap, using default empty values\"\n\nfi\n\n# Write to task results\necho -n \"$keylessSigningEnabled\" \u003e \"/tekton/results/keylessSigningEnabled\"\necho -n \"$defaultOIDCIssuer\" \u003e \"/tekton/results/defaultOIDCIssuer\"\necho -n \"$buildIdentityRegexp\" \u003e \"/tekton/results/buildIdentityRegexp\"\necho -n \"$tektonChainsIdentity\" \u003e \"/tekton/results/tektonChainsIdentity\"\necho -n \"$fulcioUrl\" \u003e \"/tekton/results/fulcioUrl\"\necho -n \"$rekorUrl\" \u003e \"/tekton/results/rekorUrl\"\necho -n \"$tufUrl\" \u003e \"/tekton/results/tufUrl\"\n\n# Output for troubleshooting/debugging\necho \"results.keylessSigningEnabled: $keylessSigningEnabled\"\necho \"results.defaultOIDCIssuer: $defaultOIDCIssuer\"\necho \"results.buildIdentityRegexp: $buildIdentityRegexp\"\necho \"results.tektonChainsIdentity: $tektonChainsIdentity\"\necho \"results.fulcioUrl: $fulcioUrl\"\necho \"results.rekorUrl: $rekorUrl\"\necho \"results.tufUrl: $tufUrl\"\n" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=82", "pac.test.appstudio.openshift.io/branch": "base-vbzktl", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998372575", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-wjhlte", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/my-integration-test-pscf-dxntr", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-vbzktl", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2b64b758-3bc5-4dce-a4ba-2556456180a3/records/89db0612-8dcb-40e2-b794-100945fc32f4", "results.tekton.dev/result": "default-tenant/results/2b64b758-3bc5-4dce-a4ba-2556456180a3", "results.tekton.dev/stored": "true", "tekton.dev/displayName": "Verify Enterprise Contract", "tekton.dev/pipelines.minVersion": "0.19", "tekton.dev/tags": "ec, chains, signature, conftest", "test.appstudio.openshift.io/added-to-global-candidate-list": "{\"result\":true,\"reason\":\"Success\",\"lastupdatedtime\":\"2026-04-25T08:47:01Z\"}", "test.appstudio.openshift.io/integration-workflow": "push", "test.appstudio.openshift.io/pipelinerunstarttime": "1777106360000", "test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "test.appstudio.openshift.io/status": "[{\"scenario\":\"my-integration-test-pscf\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-04-25T08:47:02.059984407Z\",\"details\":\"Pending\"}]" }, "creationTimestamp": "2026-04-25T08:47:10Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083920-000", "build.appstudio.redhat.com/pipeline": "enterprise-contract", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998372575", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipelines.appstudio.openshift.io/type": "test", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "enterprise-contract", "tekton.dev/pipelineRun": "my-integration-test-pscf-dxntr", "tekton.dev/pipelineRunUID": "2b64b758-3bc5-4dce-a4ba-2556456180a3", "tekton.dev/pipelineTask": "verify", "tekton.dev/task": "verify-enterprise-contract", "test.appstudio.openshift.io/optional": "false", "test.appstudio.openshift.io/pipelinerunfinishtime": "1777106819", "test.appstudio.openshift.io/scenario": "my-integration-test-pscf", "test.appstudio.openshift.io/type": "component" }, "name": "my-integration-test-pscf-dxntr-verify", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "my-integration-test-pscf-dxntr", "uid": "2b64b758-3bc5-4dce-a4ba-2556456180a3" } ], "resourceVersion": "48018", "uid": "89db0612-8dcb-40e2-b794-100945fc32f4" }, "spec": { "params": [ { "name": "POLICY_CONFIGURATION", "value": "enterprise-contract-service/default" }, { "name": "IMAGES", "value": "{\"application\":\"tsf-demo-app\",\"componentGroup\":\"\",\"components\":[{\"name\":\"tsf-demo-comp\",\"version\":\"\",\"containerImage\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"source\":{\"git\":{\"url\":\"https://github.com/rhads-tsf-qe/testrepo\",\"revision\":\"f531195f8270badfde86d3c2463affa6ca989043\"}}}],\"artifacts\":{}}" }, { "name": "SSL_CERT_DIR", "value": "" }, { "name": "STRICT", "value": "true" }, { "name": "PUBLIC_KEY", "value": "k8s://openshift-pipelines/public-key" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "CERTIFICATE_OIDC_ISSUER", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "CERTIFICATE_IDENTITY", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "TUF_MIRROR", "value": "http://tuf.tsf-tas.svc.cluster.local" }, { "name": "REKOR_HOST", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "WORKERS", "value": "1" }, { "name": "CA_TRUST_CONFIGMAP_NAME", "value": "trusted-ca" }, { "name": "CA_TRUST_CONFIG_MAP_KEY", "value": "ca-bundle.crt" }, { "name": "EXTRA_RULE_DATA", "value": "" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "value": "pr/my-integration-test-pscf-dxntr" } ], "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "bundle", "value": "quay.io/conforma/tekton-task:konflux" }, { "name": "name", "value": "verify-enterprise-contract" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "4h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:47:26Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:47:26Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "my-integration-test-pscf-dxntr-verify-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ce81caef343582bd5e20b51fb965f6bde405277f977d8e4e7652ea23e63da837" }, "entryPoint": "verify-enterprise-contract", "uri": "quay.io/conforma/tekton-task" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777106844\",\"namespace\":\"\",\"successes\":128,\"failures\":0,\"warnings\":4,\"result\":\"WARNING\"}\n" } ], "startTime": "2026-04-25T08:47:10Z", "steps": [ { "container": "step-initialize-tuf", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "initialize-tuf", "terminated": { "containerID": "cri-o://c32ce2a313d671f1bb8ee1012c4f9c2fb25c534928d927f492db6d087ec2005d", "exitCode": 0, "finishedAt": "2026-04-25T08:47:14Z", "reason": "Completed", "startedAt": "2026-04-25T08:47:14Z" }, "terminationReason": "Completed" }, { "container": "step-reduce", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "reduce", "terminated": { "containerID": "cri-o://e82572e7cb1c030c9550d897a6771b73cb7ca28b773c64f2983e4cb350957bb1", "exitCode": 0, "finishedAt": "2026-04-25T08:47:14Z", "reason": "Completed", "startedAt": "2026-04-25T08:47:14Z" }, "terminationReason": "Completed" }, { "container": "step-validate", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "validate", "terminated": { "containerID": "cri-o://14bda2ba1a5567f03fbefc255a25300f1c943fc8fcedac93f6ff8c1dac82205f", "exitCode": 0, "finishedAt": "2026-04-25T08:47:24Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106844\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:47:14Z" }, "terminationReason": "Completed" }, { "container": "step-report-json", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "report-json", "terminated": { "containerID": "cri-o://4601944a934232c93fc4a5d1249de1da1cc23fda3c70060a6c9ea8c113e557a4", "exitCode": 0, "finishedAt": "2026-04-25T08:47:25Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106844\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:47:25Z" }, "terminationReason": "Completed" }, { "container": "step-summary", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "summary", "terminated": { "containerID": "cri-o://43cb9da3e62a754fa9844564f5a60ab8556433e7c05f3510a7c5c437c93fad5d", "exitCode": 0, "finishedAt": "2026-04-25T08:47:25Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106844\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:47:25Z" }, "terminationReason": "Completed" }, { "container": "step-version", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "version", "terminated": { "containerID": "cri-o://95c34d8132e36ec3e73fd628cd676be1b854215de1d2786a8bd8f5da9113a058", "exitCode": 0, "finishedAt": "2026-04-25T08:47:25Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106844\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:47:25Z" }, "terminationReason": "Completed" }, { "container": "step-show-config", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "show-config", "terminated": { "containerID": "cri-o://895cb99e94a6043d7441accf26b4ebb3a037a256f3061987515edc1a2453f83b", "exitCode": 0, "finishedAt": "2026-04-25T08:47:25Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106844\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:47:25Z" }, "terminationReason": "Completed" }, { "container": "step-detailed-report", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "detailed-report", "terminated": { "containerID": "cri-o://a1f479362693f5589df5f948816be63a51fa9eb78ef772dcc3df81d1298ce8db", "exitCode": 0, "finishedAt": "2026-04-25T08:47:25Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106844\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:47:25Z" }, "terminationReason": "Completed" }, { "container": "step-assert", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "assert", "terminated": { "containerID": "cri-o://51f8b6f490a9f7425b7b34123d125a19579ed3691d4e9eca6e68d3f9aeaf5f63", "exitCode": 0, "finishedAt": "2026-04-25T08:47:26Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106844\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:47:26Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Verify the enterprise contract is met", "params": [ { "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n {\n \"components\": [\n {\n \"containerImage\": \"quay.io/example/repo:latest\"\n }\n ]\n }\n```\n\nEach `containerImage` in the `components` array is validated.\n", "name": "IMAGES", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "", "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.", "name": "PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Rekor host for transparency log lookups", "name": "REKOR_HOST", "type": "string" }, { "default": "", "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_IDENTITY", "type": "string" }, { "default": "", "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_OIDC_ISSUER", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.", "name": "CERTIFICATE_IDENTITY_REGEXP", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.", "name": "CERTIFICATE_OIDC_ISSUER_REGEXP", "type": "string" }, { "default": "false", "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.", "name": "IGNORE_REKOR", "type": "string" }, { "default": "", "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.", "name": "TUF_MIRROR", "type": "string" }, { "default": "", "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n", "name": "SSL_CERT_DIR", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIGMAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "true", "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.", "name": "INFO", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" }, { "default": "/tekton/home", "description": "Value for the HOME environment variable.", "name": "HOMEDIR", "type": "string" }, { "default": "now", "description": "Run policy checks with the provided time.", "name": "EFFECTIVE_TIME", "type": "string" }, { "default": "", "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"", "name": "EXTRA_RULE_DATA", "type": "string" }, { "default": "1", "description": "Number of parallel workers to use for policy evaluation.", "name": "WORKERS", "type": "string" }, { "default": "false", "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created", "name": "SINGLE_COMPONENT", "type": "string" }, { "default": "unknown", "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "type": "string" }, { "default": "", "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS", "type": "string" }, { "default": "1s", "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")", "name": "RETRY_DURATION", "type": "string" }, { "default": "2.0", "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")", "name": "RETRY_FACTOR", "type": "string" }, { "default": "0.1", "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")", "name": "RETRY_JITTER", "type": "string" }, { "default": "3", "description": "Maximum number of retry attempts", "name": "RETRY_MAX_RETRY", "type": "string" }, { "default": "3s", "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")", "name": "RETRY_MAX_WAIT", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" } ] }, "steps": [ { "args": [ "sigstore", "initialize", "--mirror", "http://tuf.tsf-tas.svc.cluster.local", "--root", "http://tuf.tsf-tas.svc.cluster.local/root.json" ], "command": [ "ec" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "initialize-tuf", "when": [ { "input": "http://tuf.tsf-tas.svc.cluster.local", "operator": "notin", "values": [ "" ] } ] }, { "command": [ "reduce-snapshot.sh" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SNAPSHOT", "value": "{\"application\":\"tsf-demo-app\",\"componentGroup\":\"\",\"components\":[{\"name\":\"tsf-demo-comp\",\"version\":\"\",\"containerImage\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"source\":{\"git\":{\"url\":\"https://github.com/rhads-tsf-qe/testrepo\",\"revision\":\"f531195f8270badfde86d3c2463affa6ca989043\"}}}],\"artifacts\":{}}" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "CUSTOM_RESOURCE", "value": "pr/my-integration-test-pscf-dxntr" }, { "name": "CUSTOM_RESOURCE_NAMESPACE" }, { "name": "SNAPSHOT_PATH", "value": "/tekton/home/snapshot.json" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "reduce", "onError": "continue" }, { "computeResources": { "limits": { "memory": "2Gi" }, "requests": { "cpu": "1800m", "memory": "2Gi" } }, "env": [ { "name": "POLICY_CONFIGURATION", "value": "enterprise-contract-service/default" }, { "name": "PUBLIC_KEY", "value": "k8s://openshift-pipelines/public-key" }, { "name": "CERTIFICATE_IDENTITY", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "CERTIFICATE_OIDC_ISSUER", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "CERTIFICATE_IDENTITY_REGEXP" }, { "name": "CERTIFICATE_OIDC_ISSUER_REGEXP" }, { "name": "REKOR_HOST", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "WORKERS", "value": "1" }, { "name": "INFO", "value": "true" }, { "name": "EFFECTIVE_TIME", "value": "now" }, { "name": "EXTRA_RULE_DATA" }, { "name": "RETRY_MAX_WAIT", "value": "3s" }, { "name": "RETRY_MAX_RETRY", "value": "3" }, { "name": "RETRY_DURATION", "value": "1s" }, { "name": "RETRY_FACTOR", "value": "2.0" }, { "name": "RETRY_JITTER", "value": "0.1" }, { "name": "HOMEDIR", "value": "/tekton/home" }, { "name": "SSL_CERT_DIR", "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "validate", "onError": "continue", "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n validate\n image\n --images=\"${HOMEDIR}/snapshot.json\"\n --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n # If *any* of the above are non-empty assume the intention is to\n # try keyless verification\n\n if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n cmd_args+=(\n --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n )\n elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n )\n fi\n\n if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n )\n elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n )\n fi\n\n # Force --ignore-rekor to false since we need rekor\n cmd_args+=(\n --ignore-rekor=false\n )\nelse\n # Assume traditional signing secret verification\n cmd_args+=(\n --public-key=\"${PUBLIC_KEY}\"\n --ignore-rekor=\"${IGNORE_REKOR}\"\n )\nfi\n\ncmd_args+=(\n --rekor-url=\"${REKOR_HOST}\"\n --workers=\"${WORKERS}\"\n --info=\"${INFO}\"\n --timeout=0\n --strict=false\n --show-successes=true\n --show-policy-docs-link=true\n --effective-time=\"${EFFECTIVE_TIME}\"\n --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n --retry-duration=\"${RETRY_DURATION}\"\n --retry-factor=\"${RETRY_FACTOR}\"\n --retry-jitter=\"${RETRY_JITTER}\"\n --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n --output=\"json=${HOMEDIR}/report-json.json\"\n --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'" ], "command": [ "sh", "-c" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "report-json", "onError": "continue" }, { "args": [ ".", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "summary", "onError": "continue" }, { "args": [ "version" ], "command": [ "ec" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "version" }, { "args": [ "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}", "/tekton/home/report-json.json" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "show-config" }, { "args": [ "/tekton/home/text-report.txt" ], "command": [ "cat" ], "computeResources": {}, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "detailed-report", "onError": "continue" }, { "args": [ "--argjson", "strict", "true", "-e", ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "assert" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The workspace where the snapshot spec json file resides", "name": "data", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=43", "pac.test.appstudio.openshift.io/branch": "base-ztilmj", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998131637", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-dryzug", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/my-integration-test-pscf-lfgfg", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-ztilmj", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/fe8d5d2a-4a2a-4d5c-b55d-e5e047a563e9/records/7109ea83-7269-492d-8270-4c74d6d87a41", "results.tekton.dev/result": "default-tenant/results/fe8d5d2a-4a2a-4d5c-b55d-e5e047a563e9", "results.tekton.dev/stored": "true", "tekton.dev/displayName": "Collect Keyless Signing Parameters", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "ec, keyless, signing, configuration", "test.appstudio.openshift.io/integration-workflow": "push", "test.appstudio.openshift.io/pipelinerunstarttime": "1777106026000", "test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "test.appstudio.openshift.io/status": "[{\"scenario\":\"my-integration-test-pscf\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-04-25T08:42:59.905428812Z\",\"details\":\"Pending\"}]" }, "creationTimestamp": "2026-04-25T08:43:01Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083346-000", "build.appstudio.redhat.com/pipeline": "enterprise-contract", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998131637", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipelines.appstudio.openshift.io/type": "test", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "enterprise-contract", "tekton.dev/pipelineRun": "my-integration-test-pscf-lfgfg", "tekton.dev/pipelineRunUID": "fe8d5d2a-4a2a-4d5c-b55d-e5e047a563e9", "tekton.dev/pipelineTask": "collect-keyless-params", "tekton.dev/task": "collect-keyless-params", "test.appstudio.openshift.io/optional": "false", "test.appstudio.openshift.io/pipelinerunfinishtime": "1777106577", "test.appstudio.openshift.io/scenario": "my-integration-test-pscf", "test.appstudio.openshift.io/type": "component" }, "name": "my-integration-test-pscf-lfgfg-collect-keyless-params", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "my-integration-test-pscf-lfgfg", "uid": "fe8d5d2a-4a2a-4d5c-b55d-e5e047a563e9" } ], "resourceVersion": "44186", "uid": "7109ea83-7269-492d-8270-4c74d6d87a41" }, "spec": { "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "bundle", "value": "quay.io/conforma/tekton-task:konflux" }, { "name": "name", "value": "collect-keyless-params" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:14Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:14Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "my-integration-test-pscf-lfgfg-collect-keyless-params-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ce81caef343582bd5e20b51fb965f6bde405277f977d8e4e7652ea23e63da837" }, "entryPoint": "collect-keyless-params", "uri": "quay.io/conforma/tekton-task" } }, "results": [ { "name": "buildIdentityRegexp", "type": "string", "value": "^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$" }, { "name": "defaultOIDCIssuer", "type": "string", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "fulcioUrl", "type": "string", "value": "http://fulcio-server.tsf-tas.svc.cluster.local" }, { "name": "keylessSigningEnabled", "type": "string", "value": "true" }, { "name": "rekorUrl", "type": "string", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "tektonChainsIdentity", "type": "string", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "tufUrl", "type": "string", "value": "http://tuf.tsf-tas.svc.cluster.local" } ], "startTime": "2026-04-25T08:43:01Z", "steps": [ { "container": "step-collect-signing-params", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "collect-signing-params", "terminated": { "containerID": "cri-o://bd1de05c3171f80a5db042763a120c1daa28bbe17767b97cd6fea9cbbd2fc029", "exitCode": 0, "finishedAt": "2026-04-25T08:43:13Z", "message": "[{\"key\":\"buildIdentityRegexp\",\"value\":\"^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$\",\"type\":1},{\"key\":\"defaultOIDCIssuer\",\"value\":\"https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j\",\"type\":1},{\"key\":\"fulcioUrl\",\"value\":\"http://fulcio-server.tsf-tas.svc.cluster.local\",\"type\":1},{\"key\":\"keylessSigningEnabled\",\"value\":\"true\",\"type\":1},{\"key\":\"rekorUrl\",\"value\":\"http://rekor-server.tsf-tas.svc.cluster.local\",\"type\":1},{\"key\":\"tektonChainsIdentity\",\"value\":\"https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller\",\"type\":1},{\"key\":\"tufUrl\",\"value\":\"http://tuf.tsf-tas.svc.cluster.local\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:11Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to collect Konflux configuration parameters related to\nkeyless signing using cosign. The task attempts to read the \"cluster-config\"\nConfigMap in the \"konflux-info\" namespace to extract signing parameters.\n\nIn case the ConfigMap is not found, the task will output empty strings for all parameters,\nallowing the pipeline to continue without signing parameters.\n", "params": [ { "default": "cluster-config", "description": "The name of the ConfigMap to read signing parameters from", "name": "configMapName", "type": "string" }, { "default": "konflux-info", "description": "The namespace where the ConfigMap is located", "name": "configMapNamespace", "type": "string" } ], "results": [ { "description": "A flag indicating whether keyless signing is enabled based on the presence of signing parameters.\n", "name": "keylessSigningEnabled", "type": "string" }, { "description": "A default OIDC issuer URL to be used for signing.\n", "name": "defaultOIDCIssuer", "type": "string" }, { "description": "A regular expression to extract build identity from the OIDC token claims, if applicable.\n", "name": "buildIdentityRegexp", "type": "string" }, { "description": "The Tekton Chains identity from the OIDC token claims, if applicable.\n", "name": "tektonChainsIdentity", "type": "string" }, { "description": "The URL of the Fulcio certificate authority.\n", "name": "fulcioUrl", "type": "string" }, { "description": "The URL of the Rekor transparency log.\n", "name": "rekorUrl", "type": "string" }, { "description": "The URL of the TUF repository.\n", "name": "tufUrl", "type": "string" } ], "stepTemplate": { "computeResources": {}, "securityContext": { "runAsUser": 1001 } }, "steps": [ { "computeResources": { "limits": { "cpu": "50m", "memory": "128Mi" }, "requests": { "cpu": "50m", "memory": "128Mi" } }, "env": [ { "name": "configMapNamespace", "value": "konflux-info" }, { "name": "configMapName", "value": "cluster-config" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "collect-signing-params", "script": "#!/bin/bash\nset -euo pipefail\n\n# Default value is \"false\"\nkeylessSigningEnabled=\"false\"\n\n# Default values are empty strings\ndefaultOIDCIssuer=\"\"\nbuildIdentityRegexp=\"\"\ntektonChainsIdentity=\"\"\nfulcioUrl=\"\"\nrekorUrl=\"\"\ntufUrl=\"\"\n\n# Read from the ConfigMap\necho \"Reading ConfigMap ${configMapNamespace}/${configMapName}\"\nKFLX_CONFIG_PATH='/tmp/cluster-config.json'\n\nif kubectl get configmap \"${configMapName}\" -n \"${configMapNamespace}\" -o json --ignore-not-found \u003e \"${KFLX_CONFIG_PATH}\"; then\n if [ -s \"${KFLX_CONFIG_PATH}\" ]; then\n echo \"ConfigMap found, extracting keyless signing parameters\"\n\n # First we read \"keylessSigningEnabled\"\n keylessSigningEnabled=$(jq -r '.data.enableKeylessSigning // \"false\"' \"$KFLX_CONFIG_PATH\")\n\n if [ \"$keylessSigningEnabled\" = \"true\" ]; then\n # If that is set to \"true\" then read the other values\n defaultOIDCIssuer=$(jq -r '.data.defaultOIDCIssuer // \"\"' \"$KFLX_CONFIG_PATH\")\n buildIdentityRegexp=$(jq -r '.data.buildIdentityRegexp // \"\"' \"$KFLX_CONFIG_PATH\")\n tektonChainsIdentity=$(jq -r '.data.tektonChainsIdentity // \"\"' \"$KFLX_CONFIG_PATH\")\n\n # For each of these we prefer the internal url if its present\n fulcioUrl=$(jq -r '.data.fulcioInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$fulcioUrl\" ]; then\n fulcioUrl=$(jq -r '.data.fulcioExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n rekorUrl=$(jq -r '.data.rekorInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$rekorUrl\" ]; then\n rekorUrl=$(jq -r '.data.rekorExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n tufUrl=$(jq -r '.data.tufInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$tufUrl\" ]; then\n tufUrl=$(jq -r '.data.tufExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n else\n # Otherwise we ignore the rest of the ConfigMap\n echo \"enableKeylessSigning is not set, using default empty values\"\n\n fi\n else\n # Because we used --ignore-not-found this doesn't produce an error\n echo \"ConfigMap not found, using default empty values\"\n\n fi\n\nelse\n # Some error other than \"not found\"\n # (Stderr from kubectl should be visible in the task log.)\n echo \"Problem reading ConfigMap, using default empty values\"\n\nfi\n\n# Write to task results\necho -n \"$keylessSigningEnabled\" \u003e \"/tekton/results/keylessSigningEnabled\"\necho -n \"$defaultOIDCIssuer\" \u003e \"/tekton/results/defaultOIDCIssuer\"\necho -n \"$buildIdentityRegexp\" \u003e \"/tekton/results/buildIdentityRegexp\"\necho -n \"$tektonChainsIdentity\" \u003e \"/tekton/results/tektonChainsIdentity\"\necho -n \"$fulcioUrl\" \u003e \"/tekton/results/fulcioUrl\"\necho -n \"$rekorUrl\" \u003e \"/tekton/results/rekorUrl\"\necho -n \"$tufUrl\" \u003e \"/tekton/results/tufUrl\"\n\n# Output for troubleshooting/debugging\necho \"results.keylessSigningEnabled: $keylessSigningEnabled\"\necho \"results.defaultOIDCIssuer: $defaultOIDCIssuer\"\necho \"results.buildIdentityRegexp: $buildIdentityRegexp\"\necho \"results.tektonChainsIdentity: $tektonChainsIdentity\"\necho \"results.fulcioUrl: $fulcioUrl\"\necho \"results.rekorUrl: $rekorUrl\"\necho \"results.tufUrl: $tufUrl\"\n" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=50", "pac.test.appstudio.openshift.io/branch": "base-ztilmj", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998131637", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-dryzug", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/my-integration-test-pscf-lfgfg", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-ztilmj", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/fe8d5d2a-4a2a-4d5c-b55d-e5e047a563e9/records/8c2963dd-33c9-43b6-afcf-dacb0907180d", "results.tekton.dev/result": "default-tenant/results/fe8d5d2a-4a2a-4d5c-b55d-e5e047a563e9", "results.tekton.dev/stored": "true", "tekton.dev/displayName": "Verify Enterprise Contract", "tekton.dev/pipelines.minVersion": "0.19", "tekton.dev/tags": "ec, chains, signature, conftest", "test.appstudio.openshift.io/integration-workflow": "push", "test.appstudio.openshift.io/pipelinerunstarttime": "1777106026000", "test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "test.appstudio.openshift.io/status": "[{\"scenario\":\"my-integration-test-pscf\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-04-25T08:42:59.905428812Z\",\"details\":\"Pending\"}]" }, "creationTimestamp": "2026-04-25T08:43:14Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083346-000", "build.appstudio.redhat.com/pipeline": "enterprise-contract", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998131637", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipelines.appstudio.openshift.io/type": "test", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "enterprise-contract", "tekton.dev/pipelineRun": "my-integration-test-pscf-lfgfg", "tekton.dev/pipelineRunUID": "fe8d5d2a-4a2a-4d5c-b55d-e5e047a563e9", "tekton.dev/pipelineTask": "verify", "tekton.dev/task": "verify-enterprise-contract", "test.appstudio.openshift.io/optional": "false", "test.appstudio.openshift.io/pipelinerunfinishtime": "1777106577", "test.appstudio.openshift.io/scenario": "my-integration-test-pscf", "test.appstudio.openshift.io/type": "component" }, "name": "my-integration-test-pscf-lfgfg-verify", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "my-integration-test-pscf-lfgfg", "uid": "fe8d5d2a-4a2a-4d5c-b55d-e5e047a563e9" } ], "resourceVersion": "44745", "uid": "8c2963dd-33c9-43b6-afcf-dacb0907180d" }, "spec": { "params": [ { "name": "POLICY_CONFIGURATION", "value": "enterprise-contract-service/default" }, { "name": "IMAGES", "value": "{\"application\":\"tsf-demo-app\",\"componentGroup\":\"\",\"components\":[{\"name\":\"tsf-demo-comp\",\"version\":\"\",\"containerImage\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"source\":{\"git\":{\"url\":\"https://github.com/rhads-tsf-qe/testrepo\",\"revision\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\"}}}],\"artifacts\":{}}" }, { "name": "SSL_CERT_DIR", "value": "" }, { "name": "STRICT", "value": "true" }, { "name": "PUBLIC_KEY", "value": "k8s://openshift-pipelines/public-key" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "CERTIFICATE_OIDC_ISSUER", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "CERTIFICATE_IDENTITY", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "TUF_MIRROR", "value": "http://tuf.tsf-tas.svc.cluster.local" }, { "name": "REKOR_HOST", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "WORKERS", "value": "1" }, { "name": "CA_TRUST_CONFIGMAP_NAME", "value": "trusted-ca" }, { "name": "CA_TRUST_CONFIG_MAP_KEY", "value": "ca-bundle.crt" }, { "name": "EXTRA_RULE_DATA", "value": "" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "value": "pr/my-integration-test-pscf-lfgfg" } ], "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "bundle", "value": "quay.io/conforma/tekton-task:konflux" }, { "name": "name", "value": "verify-enterprise-contract" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "4h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:32Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:32Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "my-integration-test-pscf-lfgfg-verify-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ce81caef343582bd5e20b51fb965f6bde405277f977d8e4e7652ea23e63da837" }, "entryPoint": "verify-enterprise-contract", "uri": "quay.io/conforma/tekton-task" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777106610\",\"namespace\":\"\",\"successes\":128,\"failures\":0,\"warnings\":4,\"result\":\"WARNING\"}\n" } ], "startTime": "2026-04-25T08:43:14Z", "steps": [ { "container": "step-initialize-tuf", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "initialize-tuf", "terminated": { "containerID": "cri-o://604d3ecb4dd8a57388cf1e7cdd04c50bc25a00cd0a188740b0c14c52bb2b3fb2", "exitCode": 0, "finishedAt": "2026-04-25T08:43:20Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:20Z" }, "terminationReason": "Completed" }, { "container": "step-reduce", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "reduce", "terminated": { "containerID": "cri-o://7149d4945f18cb9f1a93105912aa228e27ecd3dda5b2c78d6ae2d7a909f63f0d", "exitCode": 0, "finishedAt": "2026-04-25T08:43:20Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:20Z" }, "terminationReason": "Completed" }, { "container": "step-validate", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "validate", "terminated": { "containerID": "cri-o://3b4b3647fa9e195de87c28d09f009db808c7ff01ff7e45cac90323467bab387a", "exitCode": 0, "finishedAt": "2026-04-25T08:43:30Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106610\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:20Z" }, "terminationReason": "Completed" }, { "container": "step-report-json", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "report-json", "terminated": { "containerID": "cri-o://b4cd6b8d8f91a298c4cc6c481787083222b6b26e10a13d754cb8b6937897f0d7", "exitCode": 0, "finishedAt": "2026-04-25T08:43:31Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106610\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:31Z" }, "terminationReason": "Completed" }, { "container": "step-summary", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "summary", "terminated": { "containerID": "cri-o://54de96e46d33940b7a0f7f878e6f97621c0d0d184a8f449554f75d50025073ee", "exitCode": 0, "finishedAt": "2026-04-25T08:43:31Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106610\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:31Z" }, "terminationReason": "Completed" }, { "container": "step-version", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "version", "terminated": { "containerID": "cri-o://f7517bf437382fa1fbf39ba7a48966fa6f2d3eae40108fe0e80a1bbab1a6c811", "exitCode": 0, "finishedAt": "2026-04-25T08:43:31Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106610\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:31Z" }, "terminationReason": "Completed" }, { "container": "step-show-config", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "show-config", "terminated": { "containerID": "cri-o://f73ab5edea5dd1de5534eed7182c83e7a5870e3d7af73a20a0e36e70dd815848", "exitCode": 0, "finishedAt": "2026-04-25T08:43:31Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106610\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:31Z" }, "terminationReason": "Completed" }, { "container": "step-detailed-report", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "detailed-report", "terminated": { "containerID": "cri-o://c2dd12219c54b95009980f253e8e0eaeeaa09a5f705506458f93a8bc404b0964", "exitCode": 0, "finishedAt": "2026-04-25T08:43:31Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106610\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:31Z" }, "terminationReason": "Completed" }, { "container": "step-assert", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "assert", "terminated": { "containerID": "cri-o://e03fc84d84d827885c5172b8b99f0c94a5483d1b9f67fb57d7663ffb81ae1b05", "exitCode": 0, "finishedAt": "2026-04-25T08:43:31Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106610\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:31Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Verify the enterprise contract is met", "params": [ { "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n {\n \"components\": [\n {\n \"containerImage\": \"quay.io/example/repo:latest\"\n }\n ]\n }\n```\n\nEach `containerImage` in the `components` array is validated.\n", "name": "IMAGES", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "", "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.", "name": "PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Rekor host for transparency log lookups", "name": "REKOR_HOST", "type": "string" }, { "default": "", "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_IDENTITY", "type": "string" }, { "default": "", "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_OIDC_ISSUER", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.", "name": "CERTIFICATE_IDENTITY_REGEXP", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.", "name": "CERTIFICATE_OIDC_ISSUER_REGEXP", "type": "string" }, { "default": "false", "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.", "name": "IGNORE_REKOR", "type": "string" }, { "default": "", "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.", "name": "TUF_MIRROR", "type": "string" }, { "default": "", "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n", "name": "SSL_CERT_DIR", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIGMAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "true", "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.", "name": "INFO", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" }, { "default": "/tekton/home", "description": "Value for the HOME environment variable.", "name": "HOMEDIR", "type": "string" }, { "default": "now", "description": "Run policy checks with the provided time.", "name": "EFFECTIVE_TIME", "type": "string" }, { "default": "", "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"", "name": "EXTRA_RULE_DATA", "type": "string" }, { "default": "1", "description": "Number of parallel workers to use for policy evaluation.", "name": "WORKERS", "type": "string" }, { "default": "false", "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created", "name": "SINGLE_COMPONENT", "type": "string" }, { "default": "unknown", "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "type": "string" }, { "default": "", "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS", "type": "string" }, { "default": "1s", "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")", "name": "RETRY_DURATION", "type": "string" }, { "default": "2.0", "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")", "name": "RETRY_FACTOR", "type": "string" }, { "default": "0.1", "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")", "name": "RETRY_JITTER", "type": "string" }, { "default": "3", "description": "Maximum number of retry attempts", "name": "RETRY_MAX_RETRY", "type": "string" }, { "default": "3s", "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")", "name": "RETRY_MAX_WAIT", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" } ] }, "steps": [ { "args": [ "sigstore", "initialize", "--mirror", "http://tuf.tsf-tas.svc.cluster.local", "--root", "http://tuf.tsf-tas.svc.cluster.local/root.json" ], "command": [ "ec" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "initialize-tuf", "when": [ { "input": "http://tuf.tsf-tas.svc.cluster.local", "operator": "notin", "values": [ "" ] } ] }, { "command": [ "reduce-snapshot.sh" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SNAPSHOT", "value": "{\"application\":\"tsf-demo-app\",\"componentGroup\":\"\",\"components\":[{\"name\":\"tsf-demo-comp\",\"version\":\"\",\"containerImage\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"source\":{\"git\":{\"url\":\"https://github.com/rhads-tsf-qe/testrepo\",\"revision\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\"}}}],\"artifacts\":{}}" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "CUSTOM_RESOURCE", "value": "pr/my-integration-test-pscf-lfgfg" }, { "name": "CUSTOM_RESOURCE_NAMESPACE" }, { "name": "SNAPSHOT_PATH", "value": "/tekton/home/snapshot.json" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "reduce", "onError": "continue" }, { "computeResources": { "limits": { "memory": "2Gi" }, "requests": { "cpu": "1800m", "memory": "2Gi" } }, "env": [ { "name": "POLICY_CONFIGURATION", "value": "enterprise-contract-service/default" }, { "name": "PUBLIC_KEY", "value": "k8s://openshift-pipelines/public-key" }, { "name": "CERTIFICATE_IDENTITY", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "CERTIFICATE_OIDC_ISSUER", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "CERTIFICATE_IDENTITY_REGEXP" }, { "name": "CERTIFICATE_OIDC_ISSUER_REGEXP" }, { "name": "REKOR_HOST", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "WORKERS", "value": "1" }, { "name": "INFO", "value": "true" }, { "name": "EFFECTIVE_TIME", "value": "now" }, { "name": "EXTRA_RULE_DATA" }, { "name": "RETRY_MAX_WAIT", "value": "3s" }, { "name": "RETRY_MAX_RETRY", "value": "3" }, { "name": "RETRY_DURATION", "value": "1s" }, { "name": "RETRY_FACTOR", "value": "2.0" }, { "name": "RETRY_JITTER", "value": "0.1" }, { "name": "HOMEDIR", "value": "/tekton/home" }, { "name": "SSL_CERT_DIR", "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "validate", "onError": "continue", "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n validate\n image\n --images=\"${HOMEDIR}/snapshot.json\"\n --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n # If *any* of the above are non-empty assume the intention is to\n # try keyless verification\n\n if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n cmd_args+=(\n --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n )\n elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n )\n fi\n\n if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n )\n elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n )\n fi\n\n # Force --ignore-rekor to false since we need rekor\n cmd_args+=(\n --ignore-rekor=false\n )\nelse\n # Assume traditional signing secret verification\n cmd_args+=(\n --public-key=\"${PUBLIC_KEY}\"\n --ignore-rekor=\"${IGNORE_REKOR}\"\n )\nfi\n\ncmd_args+=(\n --rekor-url=\"${REKOR_HOST}\"\n --workers=\"${WORKERS}\"\n --info=\"${INFO}\"\n --timeout=0\n --strict=false\n --show-successes=true\n --show-policy-docs-link=true\n --effective-time=\"${EFFECTIVE_TIME}\"\n --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n --retry-duration=\"${RETRY_DURATION}\"\n --retry-factor=\"${RETRY_FACTOR}\"\n --retry-jitter=\"${RETRY_JITTER}\"\n --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n --output=\"json=${HOMEDIR}/report-json.json\"\n --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'" ], "command": [ "sh", "-c" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "report-json", "onError": "continue" }, { "args": [ ".", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "summary", "onError": "continue" }, { "args": [ "version" ], "command": [ "ec" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "version" }, { "args": [ "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}", "/tekton/home/report-json.json" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "show-config" }, { "args": [ "/tekton/home/text-report.txt" ], "command": [ "cat" ], "computeResources": {}, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "detailed-report", "onError": "continue" }, { "args": [ "--argjson", "strict", "true", "-e", ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "assert" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The workspace where the snapshot spec json file resides", "name": "data", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=44", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/my-integration-test-pscf-tprqp", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/d350094f-4865-40e5-87c9-91fd10574852/records/3c0ffb03-dd2f-4c68-9f56-19197f75489d", "results.tekton.dev/result": "default-tenant/results/d350094f-4865-40e5-87c9-91fd10574852", "results.tekton.dev/stored": "true", "tekton.dev/displayName": "Collect Keyless Signing Parameters", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "ec, keyless, signing, configuration", "test.appstudio.openshift.io/added-to-global-candidate-list": "{\"result\":true,\"reason\":\"Success\",\"lastupdatedtime\":\"2026-04-25T08:42:59Z\"}", "test.appstudio.openshift.io/integration-workflow": "push", "test.appstudio.openshift.io/pipelinerunstarttime": "1777106077000", "test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "test.appstudio.openshift.io/status": "[{\"scenario\":\"my-integration-test-pscf\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-04-25T08:42:59.594314669Z\",\"details\":\"Pending\"}]" }, "creationTimestamp": "2026-04-25T08:43:00Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "build.appstudio.redhat.com/pipeline": "enterprise-contract", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipelines.appstudio.openshift.io/type": "test", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "enterprise-contract", "tekton.dev/pipelineRun": "my-integration-test-pscf-tprqp", "tekton.dev/pipelineRunUID": "d350094f-4865-40e5-87c9-91fd10574852", "tekton.dev/pipelineTask": "collect-keyless-params", "tekton.dev/task": "collect-keyless-params", "test.appstudio.openshift.io/optional": "false", "test.appstudio.openshift.io/pipelinerunfinishtime": "1777106576", "test.appstudio.openshift.io/scenario": "my-integration-test-pscf", "test.appstudio.openshift.io/type": "component" }, "name": "my-integration-test-pscf-tprqp-collect-keyless-params", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "my-integration-test-pscf-tprqp", "uid": "d350094f-4865-40e5-87c9-91fd10574852" } ], "resourceVersion": "44178", "uid": "3c0ffb03-dd2f-4c68-9f56-19197f75489d" }, "spec": { "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "bundle", "value": "quay.io/conforma/tekton-task:konflux" }, { "name": "name", "value": "collect-keyless-params" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:14Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:14Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "my-integration-test-pscf-tprqp-collect-keyless-params-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ce81caef343582bd5e20b51fb965f6bde405277f977d8e4e7652ea23e63da837" }, "entryPoint": "collect-keyless-params", "uri": "quay.io/conforma/tekton-task" } }, "results": [ { "name": "buildIdentityRegexp", "type": "string", "value": "^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$" }, { "name": "defaultOIDCIssuer", "type": "string", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "fulcioUrl", "type": "string", "value": "http://fulcio-server.tsf-tas.svc.cluster.local" }, { "name": "keylessSigningEnabled", "type": "string", "value": "true" }, { "name": "rekorUrl", "type": "string", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "tektonChainsIdentity", "type": "string", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "tufUrl", "type": "string", "value": "http://tuf.tsf-tas.svc.cluster.local" } ], "startTime": "2026-04-25T08:43:01Z", "steps": [ { "container": "step-collect-signing-params", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "collect-signing-params", "terminated": { "containerID": "cri-o://40f165c4279e1dcbff139530a78e32f47b9fc46858f1cf0e1d984125e867c0f0", "exitCode": 0, "finishedAt": "2026-04-25T08:43:13Z", "message": "[{\"key\":\"buildIdentityRegexp\",\"value\":\"^https://kubernetes.io/namespaces/[a-z0-9-]+-tenant/serviceaccounts/build-pipeline-[a-z0-9-]+$\",\"type\":1},{\"key\":\"defaultOIDCIssuer\",\"value\":\"https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j\",\"type\":1},{\"key\":\"fulcioUrl\",\"value\":\"http://fulcio-server.tsf-tas.svc.cluster.local\",\"type\":1},{\"key\":\"keylessSigningEnabled\",\"value\":\"true\",\"type\":1},{\"key\":\"rekorUrl\",\"value\":\"http://rekor-server.tsf-tas.svc.cluster.local\",\"type\":1},{\"key\":\"tektonChainsIdentity\",\"value\":\"https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller\",\"type\":1},{\"key\":\"tufUrl\",\"value\":\"http://tuf.tsf-tas.svc.cluster.local\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:11Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Tekton task to collect Konflux configuration parameters related to\nkeyless signing using cosign. The task attempts to read the \"cluster-config\"\nConfigMap in the \"konflux-info\" namespace to extract signing parameters.\n\nIn case the ConfigMap is not found, the task will output empty strings for all parameters,\nallowing the pipeline to continue without signing parameters.\n", "params": [ { "default": "cluster-config", "description": "The name of the ConfigMap to read signing parameters from", "name": "configMapName", "type": "string" }, { "default": "konflux-info", "description": "The namespace where the ConfigMap is located", "name": "configMapNamespace", "type": "string" } ], "results": [ { "description": "A flag indicating whether keyless signing is enabled based on the presence of signing parameters.\n", "name": "keylessSigningEnabled", "type": "string" }, { "description": "A default OIDC issuer URL to be used for signing.\n", "name": "defaultOIDCIssuer", "type": "string" }, { "description": "A regular expression to extract build identity from the OIDC token claims, if applicable.\n", "name": "buildIdentityRegexp", "type": "string" }, { "description": "The Tekton Chains identity from the OIDC token claims, if applicable.\n", "name": "tektonChainsIdentity", "type": "string" }, { "description": "The URL of the Fulcio certificate authority.\n", "name": "fulcioUrl", "type": "string" }, { "description": "The URL of the Rekor transparency log.\n", "name": "rekorUrl", "type": "string" }, { "description": "The URL of the TUF repository.\n", "name": "tufUrl", "type": "string" } ], "stepTemplate": { "computeResources": {}, "securityContext": { "runAsUser": 1001 } }, "steps": [ { "computeResources": { "limits": { "cpu": "50m", "memory": "128Mi" }, "requests": { "cpu": "50m", "memory": "128Mi" } }, "env": [ { "name": "configMapNamespace", "value": "konflux-info" }, { "name": "configMapName", "value": "cluster-config" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "collect-signing-params", "script": "#!/bin/bash\nset -euo pipefail\n\n# Default value is \"false\"\nkeylessSigningEnabled=\"false\"\n\n# Default values are empty strings\ndefaultOIDCIssuer=\"\"\nbuildIdentityRegexp=\"\"\ntektonChainsIdentity=\"\"\nfulcioUrl=\"\"\nrekorUrl=\"\"\ntufUrl=\"\"\n\n# Read from the ConfigMap\necho \"Reading ConfigMap ${configMapNamespace}/${configMapName}\"\nKFLX_CONFIG_PATH='/tmp/cluster-config.json'\n\nif kubectl get configmap \"${configMapName}\" -n \"${configMapNamespace}\" -o json --ignore-not-found \u003e \"${KFLX_CONFIG_PATH}\"; then\n if [ -s \"${KFLX_CONFIG_PATH}\" ]; then\n echo \"ConfigMap found, extracting keyless signing parameters\"\n\n # First we read \"keylessSigningEnabled\"\n keylessSigningEnabled=$(jq -r '.data.enableKeylessSigning // \"false\"' \"$KFLX_CONFIG_PATH\")\n\n if [ \"$keylessSigningEnabled\" = \"true\" ]; then\n # If that is set to \"true\" then read the other values\n defaultOIDCIssuer=$(jq -r '.data.defaultOIDCIssuer // \"\"' \"$KFLX_CONFIG_PATH\")\n buildIdentityRegexp=$(jq -r '.data.buildIdentityRegexp // \"\"' \"$KFLX_CONFIG_PATH\")\n tektonChainsIdentity=$(jq -r '.data.tektonChainsIdentity // \"\"' \"$KFLX_CONFIG_PATH\")\n\n # For each of these we prefer the internal url if its present\n fulcioUrl=$(jq -r '.data.fulcioInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$fulcioUrl\" ]; then\n fulcioUrl=$(jq -r '.data.fulcioExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n rekorUrl=$(jq -r '.data.rekorInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$rekorUrl\" ]; then\n rekorUrl=$(jq -r '.data.rekorExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n tufUrl=$(jq -r '.data.tufInternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n if [ -z \"$tufUrl\" ]; then\n tufUrl=$(jq -r '.data.tufExternalUrl // \"\"' \"$KFLX_CONFIG_PATH\")\n fi\n\n else\n # Otherwise we ignore the rest of the ConfigMap\n echo \"enableKeylessSigning is not set, using default empty values\"\n\n fi\n else\n # Because we used --ignore-not-found this doesn't produce an error\n echo \"ConfigMap not found, using default empty values\"\n\n fi\n\nelse\n # Some error other than \"not found\"\n # (Stderr from kubectl should be visible in the task log.)\n echo \"Problem reading ConfigMap, using default empty values\"\n\nfi\n\n# Write to task results\necho -n \"$keylessSigningEnabled\" \u003e \"/tekton/results/keylessSigningEnabled\"\necho -n \"$defaultOIDCIssuer\" \u003e \"/tekton/results/defaultOIDCIssuer\"\necho -n \"$buildIdentityRegexp\" \u003e \"/tekton/results/buildIdentityRegexp\"\necho -n \"$tektonChainsIdentity\" \u003e \"/tekton/results/tektonChainsIdentity\"\necho -n \"$fulcioUrl\" \u003e \"/tekton/results/fulcioUrl\"\necho -n \"$rekorUrl\" \u003e \"/tekton/results/rekorUrl\"\necho -n \"$tufUrl\" \u003e \"/tekton/results/tufUrl\"\n\n# Output for troubleshooting/debugging\necho \"results.keylessSigningEnabled: $keylessSigningEnabled\"\necho \"results.defaultOIDCIssuer: $defaultOIDCIssuer\"\necho \"results.buildIdentityRegexp: $buildIdentityRegexp\"\necho \"results.tektonChainsIdentity: $tektonChainsIdentity\"\necho \"results.fulcioUrl: $fulcioUrl\"\necho \"results.rekorUrl: $rekorUrl\"\necho \"results.tufUrl: $tufUrl\"\n" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=55", "pac.test.appstudio.openshift.io/branch": "base-lrytgv", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/git-auth-secret": "pac-gitauth-jzlwrc", "pac.test.appstudio.openshift.io/git-provider": "github", "pac.test.appstudio.openshift.io/installation-id": "112348674", "pac.test.appstudio.openshift.io/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/my-integration-test-pscf-tprqp", "pac.test.appstudio.openshift.io/max-keep-runs": "3", "pac.test.appstudio.openshift.io/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/scm-reporting-plr-started": "true", "pac.test.appstudio.openshift.io/sender": "rhtap-ci-tests-bot", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pac.test.appstudio.openshift.io/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/source-branch": "refs/heads/base-lrytgv", "pac.test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/d350094f-4865-40e5-87c9-91fd10574852/records/eb1d37a3-6981-457e-88ba-cbc49194ea92", "results.tekton.dev/result": "default-tenant/results/d350094f-4865-40e5-87c9-91fd10574852", "results.tekton.dev/stored": "true", "tekton.dev/displayName": "Verify Enterprise Contract", "tekton.dev/pipelines.minVersion": "0.19", "tekton.dev/tags": "ec, chains, signature, conftest", "test.appstudio.openshift.io/added-to-global-candidate-list": "{\"result\":true,\"reason\":\"Success\",\"lastupdatedtime\":\"2026-04-25T08:42:59Z\"}", "test.appstudio.openshift.io/integration-workflow": "push", "test.appstudio.openshift.io/pipelinerunstarttime": "1777106077000", "test.appstudio.openshift.io/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "test.appstudio.openshift.io/status": "[{\"scenario\":\"my-integration-test-pscf\",\"status\":\"Pending\",\"lastUpdateTime\":\"2026-04-25T08:42:59.594314669Z\",\"details\":\"Pending\"}]" }, "creationTimestamp": "2026-04-25T08:43:14Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "app.kubernetes.io/version": "0.1", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "appstudio.openshift.io/snapshot": "tsf-demo-app-20260425-083437-000", "build.appstudio.redhat.com/pipeline": "enterprise-contract", "pac.test.appstudio.openshift.io/cancel-in-progress": "false", "pac.test.appstudio.openshift.io/check-run-id": "72998167190", "pac.test.appstudio.openshift.io/event-type": "push", "pac.test.appstudio.openshift.io/original-prname": "tsf-demo-comp-on-push", "pac.test.appstudio.openshift.io/repository": "tsf-demo-comp", "pac.test.appstudio.openshift.io/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pac.test.appstudio.openshift.io/state": "completed", "pac.test.appstudio.openshift.io/url-org": "rhads-tsf-qe", "pac.test.appstudio.openshift.io/url-repository": "testrepo", "pipelines.appstudio.openshift.io/type": "test", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "enterprise-contract", "tekton.dev/pipelineRun": "my-integration-test-pscf-tprqp", "tekton.dev/pipelineRunUID": "d350094f-4865-40e5-87c9-91fd10574852", "tekton.dev/pipelineTask": "verify", "tekton.dev/task": "verify-enterprise-contract", "test.appstudio.openshift.io/optional": "false", "test.appstudio.openshift.io/pipelinerunfinishtime": "1777106576", "test.appstudio.openshift.io/scenario": "my-integration-test-pscf", "test.appstudio.openshift.io/type": "component" }, "name": "my-integration-test-pscf-tprqp-verify", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "my-integration-test-pscf-tprqp", "uid": "d350094f-4865-40e5-87c9-91fd10574852" } ], "resourceVersion": "44667", "uid": "eb1d37a3-6981-457e-88ba-cbc49194ea92" }, "spec": { "params": [ { "name": "POLICY_CONFIGURATION", "value": "enterprise-contract-service/default" }, { "name": "IMAGES", "value": "{\"application\":\"tsf-demo-app\",\"componentGroup\":\"\",\"components\":[{\"name\":\"tsf-demo-comp\",\"version\":\"\",\"containerImage\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"source\":{\"git\":{\"url\":\"https://github.com/rhads-tsf-qe/testrepo\",\"revision\":\"d8a3550152b3d095b9f67197858a8425267e1d43\"}}}],\"artifacts\":{}}" }, { "name": "SSL_CERT_DIR", "value": "" }, { "name": "STRICT", "value": "true" }, { "name": "PUBLIC_KEY", "value": "k8s://openshift-pipelines/public-key" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "CERTIFICATE_OIDC_ISSUER", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "CERTIFICATE_IDENTITY", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "TUF_MIRROR", "value": "http://tuf.tsf-tas.svc.cluster.local" }, { "name": "REKOR_HOST", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "WORKERS", "value": "1" }, { "name": "CA_TRUST_CONFIGMAP_NAME", "value": "trusted-ca" }, { "name": "CA_TRUST_CONFIG_MAP_KEY", "value": "ca-bundle.crt" }, { "name": "EXTRA_RULE_DATA", "value": "" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "value": "pr/my-integration-test-pscf-tprqp" } ], "serviceAccountName": "konflux-integration-runner", "taskRef": { "params": [ { "name": "bundle", "value": "quay.io/conforma/tekton-task:konflux" }, { "name": "name", "value": "verify-enterprise-contract" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "4h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:38Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:38Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "my-integration-test-pscf-tprqp-verify-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "ce81caef343582bd5e20b51fb965f6bde405277f977d8e4e7652ea23e63da837" }, "entryPoint": "verify-enterprise-contract", "uri": "quay.io/conforma/tekton-task" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777106616\",\"namespace\":\"\",\"successes\":128,\"failures\":0,\"warnings\":4,\"result\":\"WARNING\"}\n" } ], "startTime": "2026-04-25T08:43:14Z", "steps": [ { "container": "step-initialize-tuf", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "initialize-tuf", "terminated": { "containerID": "cri-o://c0633a051160fbe96b0cae80e52b5f17385d11cc59542babab914a15a0dd08c0", "exitCode": 0, "finishedAt": "2026-04-25T08:43:26Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:26Z" }, "terminationReason": "Completed" }, { "container": "step-reduce", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "reduce", "terminated": { "containerID": "cri-o://3c54eb61a7a0ee6d195ed5f78c4f5d90bfcf09464cf0c6b37abca27321e0e4c3", "exitCode": 0, "finishedAt": "2026-04-25T08:43:26Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:26Z" }, "terminationReason": "Completed" }, { "container": "step-validate", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "validate", "terminated": { "containerID": "cri-o://49cb481665341c72e29a89353c73c923741a39ab11cd86ba377a5b32aee2f5e1", "exitCode": 0, "finishedAt": "2026-04-25T08:43:36Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106616\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:26Z" }, "terminationReason": "Completed" }, { "container": "step-report-json", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "report-json", "terminated": { "containerID": "cri-o://4de11a92a779d5119dfabd4c204b0ad331371eb7b1076c530700c2421e9d6c07", "exitCode": 0, "finishedAt": "2026-04-25T08:43:36Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106616\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:36Z" }, "terminationReason": "Completed" }, { "container": "step-summary", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "summary", "terminated": { "containerID": "cri-o://62f68e0dad6cfb8cc06722c6063efc013adffdcbc5f24b796756151481e43c41", "exitCode": 0, "finishedAt": "2026-04-25T08:43:36Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106616\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:36Z" }, "terminationReason": "Completed" }, { "container": "step-version", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "version", "terminated": { "containerID": "cri-o://dac524a61d7465ac04ba19fccfa71998f8beb199fb1a74e8a9431c20738668b1", "exitCode": 0, "finishedAt": "2026-04-25T08:43:37Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106616\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:36Z" }, "terminationReason": "Completed" }, { "container": "step-show-config", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "show-config", "terminated": { "containerID": "cri-o://9effacaa08a33d7428bdca3387da2083f3d14635c6e27d7115de2d971ef793be", "exitCode": 0, "finishedAt": "2026-04-25T08:43:37Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106616\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:37Z" }, "terminationReason": "Completed" }, { "container": "step-detailed-report", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "detailed-report", "terminated": { "containerID": "cri-o://d44b25a8674d8644aa59961007dc64b66594fde87adaa948de1444b81a8065e9", "exitCode": 0, "finishedAt": "2026-04-25T08:43:37Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106616\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:37Z" }, "terminationReason": "Completed" }, { "container": "step-assert", "imageID": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "assert", "terminated": { "containerID": "cri-o://4e8b16ed220b003748a3d820db008a9ca621b3780ce7b9ce93d4471fb7e76b44", "exitCode": 0, "finishedAt": "2026-04-25T08:43:37Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106616\\\",\\\"namespace\\\":\\\"\\\",\\\"successes\\\":128,\\\"failures\\\":0,\\\"warnings\\\":4,\\\"result\\\":\\\"WARNING\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:37Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Verify the enterprise contract is met", "params": [ { "description": "Spec section of an ApplicationSnapshot resource. Not all fields of the\nresource are required. A minimal example:\n\n```json\n {\n \"components\": [\n {\n \"containerImage\": \"quay.io/example/repo:latest\"\n }\n ]\n }\n```\n\nEach `containerImage` in the `components` array is validated.\n", "name": "IMAGES", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "", "description": "Public key used to verify traditional long-lived signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute. Required for traditional signing key verification. Will be ignored if any of CERTIFICATE_IDENTITY, CERTIFICATE_IDENTITY_REGEXP, CERTIFICATE_OIDC_ISSUER, or CERTIFICATE_OIDC_ISSUER_REGEXP are provided.", "name": "PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Rekor host for transparency log lookups", "name": "REKOR_HOST", "type": "string" }, { "default": "", "description": "Expected identity in the signing certificate for keyless verification. This should be the email or URI that was used when signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_IDENTITY", "type": "string" }, { "default": "", "description": "Expected OIDC issuer in the signing certificate for keyless verification. This should match the issuer that provided the identity token used for signing. You should provide both CERTIFICATE_OIDC_ISSUER and CERTIFICATE_IDENTITY for keyless verification. The PUBLIC_KEY param will be ignored if this is provided.", "name": "CERTIFICATE_OIDC_ISSUER", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_IDENTITY but the value is a regexp that will be matched. Note that CERTIFICATE_IDENTITY takes precedence over this if both are present.", "name": "CERTIFICATE_IDENTITY_REGEXP", "type": "string" }, { "default": "", "description": "Similar to CERTIFICATE_OIDC_ISSUER but a regexp that will be matched. Note that CERTIFICATE_OIDC_ISSUER takes precedence over this if both are present.", "name": "CERTIFICATE_OIDC_ISSUER_REGEXP", "type": "string" }, { "default": "false", "description": "Skip Rekor transparency log checks during validation. Compatible with traditional signing secret signature checks only. If any of the CERTIFICATE_* keyless verification params are present, this value is disregarded and Rekor transparency log checks are included.", "name": "IGNORE_REKOR", "type": "string" }, { "default": "", "description": "TUF mirror URL. Provide a value when NOT using public sigstore deployment.", "name": "TUF_MIRROR", "type": "string" }, { "default": "", "description": "Path to a directory containing SSL certs to be used when communicating\nwith external services. This is useful when using the integrated registry\nand a local instance of Rekor on a development cluster which may use\ncertificates issued by a not-commonly trusted root CA. In such cases,\n`/var/run/secrets/kubernetes.io/serviceaccount` is a good value. Multiple\npaths can be provided by using the `:` separator.\n", "name": "SSL_CERT_DIR", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIGMAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "true", "description": "Include rule titles and descriptions in the output. Set to `\"false\"` to disable it.", "name": "INFO", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" }, { "default": "/tekton/home", "description": "Value for the HOME environment variable.", "name": "HOMEDIR", "type": "string" }, { "default": "now", "description": "Run policy checks with the provided time.", "name": "EFFECTIVE_TIME", "type": "string" }, { "default": "", "description": "Merge additional Rego variables into the policy data. Use syntax \"key=value,key2=value2...\"", "name": "EXTRA_RULE_DATA", "type": "string" }, { "default": "1", "description": "Number of parallel workers to use for policy evaluation.", "name": "WORKERS", "type": "string" }, { "default": "false", "description": "Reduce the Snapshot to only the component whose build caused the Snapshot to be created", "name": "SINGLE_COMPONENT", "type": "string" }, { "default": "unknown", "description": "Name, including kind, of the Kubernetes resource to query for labels when single component mode is enabled, e.g. pr/somepipeline.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE", "type": "string" }, { "default": "", "description": "Kubernetes namespace where the SINGLE_COMPONENT_NAME is found. Only used when single component mode is enabled.\n", "name": "SINGLE_COMPONENT_CUSTOM_RESOURCE_NS", "type": "string" }, { "default": "1s", "description": "Base duration for exponential backoff calculation (e.g., \"1s\", \"500ms\")", "name": "RETRY_DURATION", "type": "string" }, { "default": "2.0", "description": "Exponential backoff multiplier (e.g., \"2.0\", \"1.5\")", "name": "RETRY_FACTOR", "type": "string" }, { "default": "0.1", "description": "Randomness factor for backoff calculation (0.0-1.0, e.g., \"0.1\", \"0.2\")", "name": "RETRY_JITTER", "type": "string" }, { "default": "3", "description": "Maximum number of retry attempts", "name": "RETRY_MAX_RETRY", "type": "string" }, { "default": "3s", "description": "Maximum wait time between retries (e.g., \"3s\", \"10s\")", "name": "RETRY_MAX_WAIT", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" } ] }, "steps": [ { "args": [ "sigstore", "initialize", "--mirror", "http://tuf.tsf-tas.svc.cluster.local", "--root", "http://tuf.tsf-tas.svc.cluster.local/root.json" ], "command": [ "ec" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "initialize-tuf", "when": [ { "input": "http://tuf.tsf-tas.svc.cluster.local", "operator": "notin", "values": [ "" ] } ] }, { "command": [ "reduce-snapshot.sh" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SNAPSHOT", "value": "{\"application\":\"tsf-demo-app\",\"componentGroup\":\"\",\"components\":[{\"name\":\"tsf-demo-comp\",\"version\":\"\",\"containerImage\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"source\":{\"git\":{\"url\":\"https://github.com/rhads-tsf-qe/testrepo\",\"revision\":\"d8a3550152b3d095b9f67197858a8425267e1d43\"}}}],\"artifacts\":{}}" }, { "name": "SINGLE_COMPONENT", "value": "false" }, { "name": "CUSTOM_RESOURCE", "value": "pr/my-integration-test-pscf-tprqp" }, { "name": "CUSTOM_RESOURCE_NAMESPACE" }, { "name": "SNAPSHOT_PATH", "value": "/tekton/home/snapshot.json" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "reduce", "onError": "continue" }, { "computeResources": { "limits": { "memory": "2Gi" }, "requests": { "cpu": "1800m", "memory": "2Gi" } }, "env": [ { "name": "POLICY_CONFIGURATION", "value": "enterprise-contract-service/default" }, { "name": "PUBLIC_KEY", "value": "k8s://openshift-pipelines/public-key" }, { "name": "CERTIFICATE_IDENTITY", "value": "https://kubernetes.io/namespaces/openshift-pipelines/serviceaccounts/tekton-chains-controller" }, { "name": "CERTIFICATE_OIDC_ISSUER", "value": "https://oidc.op1.openshiftapps.com/2jtsga3i2etnl697l7bk5i1kmbm4a95j" }, { "name": "CERTIFICATE_IDENTITY_REGEXP" }, { "name": "CERTIFICATE_OIDC_ISSUER_REGEXP" }, { "name": "REKOR_HOST", "value": "http://rekor-server.tsf-tas.svc.cluster.local" }, { "name": "IGNORE_REKOR", "value": "true" }, { "name": "WORKERS", "value": "1" }, { "name": "INFO", "value": "true" }, { "name": "EFFECTIVE_TIME", "value": "now" }, { "name": "EXTRA_RULE_DATA" }, { "name": "RETRY_MAX_WAIT", "value": "3s" }, { "name": "RETRY_MAX_RETRY", "value": "3" }, { "name": "RETRY_DURATION", "value": "1s" }, { "name": "RETRY_FACTOR", "value": "2.0" }, { "name": "RETRY_JITTER", "value": "0.1" }, { "name": "HOMEDIR", "value": "/tekton/home" }, { "name": "SSL_CERT_DIR", "value": "/tekton-custom-certs:/etc/ssl/certs:/etc/pki/tls/certs:/system/etc/security/cacerts:" } ], "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "validate", "onError": "continue", "script": "#!/bin/bash\nset -euo pipefail\n\ncmd_args=(\n validate\n image\n --images=\"${HOMEDIR}/snapshot.json\"\n --policy=\"${POLICY_CONFIGURATION}\"\n)\n\n# To keep bash logic as thin as possible we deliberately don't sanitize\n# these params. If something is wrong or missing let Conforma handle it.\n\nif [ -n \"${CERTIFICATE_IDENTITY}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ] || \\\n [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ] || \\\n [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n # If *any* of the above are non-empty assume the intention is to\n # try keyless verification\n\n if [ -n \"${CERTIFICATE_IDENTITY}\" ]; then\n cmd_args+=(\n --certificate-identity=\"${CERTIFICATE_IDENTITY}\"\n )\n elif [ -n \"${CERTIFICATE_IDENTITY_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-identity-regexp=\"${CERTIFICATE_IDENTITY_REGEXP}\"\n )\n fi\n\n if [ -n \"${CERTIFICATE_OIDC_ISSUER}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer=\"${CERTIFICATE_OIDC_ISSUER}\"\n )\n elif [ -n \"${CERTIFICATE_OIDC_ISSUER_REGEXP}\" ]; then\n cmd_args+=(\n --certificate-oidc-issuer-regexp=\"${CERTIFICATE_OIDC_ISSUER_REGEXP}\"\n )\n fi\n\n # Force --ignore-rekor to false since we need rekor\n cmd_args+=(\n --ignore-rekor=false\n )\nelse\n # Assume traditional signing secret verification\n cmd_args+=(\n --public-key=\"${PUBLIC_KEY}\"\n --ignore-rekor=\"${IGNORE_REKOR}\"\n )\nfi\n\ncmd_args+=(\n --rekor-url=\"${REKOR_HOST}\"\n --workers=\"${WORKERS}\"\n --info=\"${INFO}\"\n --timeout=0\n --strict=false\n --show-successes=true\n --show-policy-docs-link=true\n --effective-time=\"${EFFECTIVE_TIME}\"\n --extra-rule-data=\"${EXTRA_RULE_DATA}\"\n --retry-max-wait=\"${RETRY_MAX_WAIT}\"\n --retry-max-retry=\"${RETRY_MAX_RETRY}\"\n --retry-duration=\"${RETRY_DURATION}\"\n --retry-factor=\"${RETRY_FACTOR}\"\n --retry-jitter=\"${RETRY_JITTER}\"\n --output=\"text=${HOMEDIR}/text-report.txt?show-successes=false\"\n --output=\"json=${HOMEDIR}/report-json.json\"\n --output=\"appstudio=/tekton/results/TEST_OUTPUT\"\n)\n\n\n# Execute Conforma with constructed arguments\nexec ec \"${cmd_args[@]}\"\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "jq . /tekton/home/report-json.json | awk '{gsub(/^ +/, \"\"); acc += length; if (acc \u003e= 8000) { printf \"\\n\"; acc=length } printf $0 }'" ], "command": [ "sh", "-c" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "report-json", "onError": "continue" }, { "args": [ ".", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "summary", "onError": "continue" }, { "args": [ "version" ], "command": [ "ec" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "version" }, { "args": [ "{policy: .policy, key: .key, \"effective-time\": .[\"effective-time\"]}", "/tekton/home/report-json.json" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "show-config" }, { "args": [ "/tekton/home/text-report.txt" ], "command": [ "cat" ], "computeResources": {}, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "detailed-report", "onError": "continue" }, { "args": [ "--argjson", "strict", "true", "-e", ".result == \"SUCCESS\" or .result == \"WARNING\" or ($strict | not)\n", "/tekton/results/TEST_OUTPUT" ], "command": [ "jq" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/conforma/cli@sha256:30f7da8493fd7713cc81b8d96645ae6dbc6b5d152d7d88083fd846e41e3aa365", "name": "assert" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The workspace where the snapshot spec json file resides", "name": "data", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=09334efbb6c61f55a88d14c38e6610ad5981edd6", "build.appstudio.redhat.com/commit_sha": "09334efbb6c61f55a88d14c38e6610ad5981edd6", "build.appstudio.redhat.com/pull_request_number": "234", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "72998361450", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zytbzf", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-pull-request-lg7wn", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "234", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhads-tsf-ci[bot]", "pipelinesascode.tekton.dev/sha": "09334efbb6c61f55a88d14c38e6610ad5981edd6", "pipelinesascode.tekton.dev/sha-title": "RHADS-TSF-CI update tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/09334efbb6c61f55a88d14c38e6610ad5981edd6", "pipelinesascode.tekton.dev/source-branch": "konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/643664c6-a731-47e2-a024-005d4e1246b1/records/38f83577-bcb9-448d-a143-04df7741ced9", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"09334efbb6c61f55a88d14c38e6610ad5981edd6\",\"eventType\":\"pull_request\",\"pull_request-id\":234}", "results.tekton.dev/result": "default-tenant/results/643664c6-a731-47e2-a024-005d4e1246b1", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "test.appstudio.openshift.io/pr-group": "konflux-tsf-demo-comp", "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed" }, "creationTimestamp": "2026-04-25T08:39:19Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "72998361450", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "234", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "09334efbb6c61f55a88d14c38e6610ad5981edd6", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-pull-request-lg7wn", "tekton.dev/pipelineRun": "tsf-demo-comp-on-pull-request-lg7wn", "tekton.dev/pipelineRunUID": "643664c6-a731-47e2-a024-005d4e1246b1", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "e5069fd5afbb0dd2d302e33fb7e375be47613ee02b0ea3b06542f7ea04bca2" }, "name": "tsf-demo-comp-on-pull-request-lg7wn-clone-repository", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-pull-request-lg7wn", "uid": "643664c6-a731-47e2-a024-005d4e1246b1" } ], "resourceVersion": "41229", "uid": "38f83577-bcb9-448d-a143-04df7741ced9" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "revision", "value": "09334efbb6c61f55a88d14c38e6610ad5981edd6" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:on-pr-09334efbb6c61f55a88d14c38e6610ad5981edd6.git" }, { "name": "ociArtifactExpiresAfter", "value": "5d" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "status": "TaskRunCancelled", "statusMessage": "TaskRun cancelled as the PipelineRun it belongs to has been cancelled.", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-zytbzf" } } ] }, "status": { "completionTime": "2026-04-25T08:39:23Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:23Z", "message": "TaskRun \"tsf-demo-comp-on-pull-request-lg7wn-clone-repository\" was cancelled. TaskRun cancelled as the PipelineRun it belongs to has been cancelled.", "reason": "TaskRunCancelled", "status": "False", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-pull-request-lg7wn-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "startTime": "2026-04-25T08:39:19Z", "steps": [ { "container": "step-clone", "name": "clone", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T08:39:23Z", "message": "Step clone terminated as pod tsf-demo-comp-on-pull-request-lg7wn-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T08:39:19Z" }, "terminationReason": "TaskRunCancelled" }, { "container": "step-symlink-check", "name": "symlink-check", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T08:39:23Z", "message": "Step symlink-check terminated as pod tsf-demo-comp-on-pull-request-lg7wn-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T08:39:19Z" }, "terminationReason": "TaskRunCancelled" }, { "container": "step-create-trusted-artifact", "name": "create-trusted-artifact", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T08:39:23Z", "message": "Step create-trusted-artifact terminated as pod tsf-demo-comp-on-pull-request-lg7wn-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T08:39:19Z" }, "terminationReason": "TaskRunCancelled" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "PARAM_REVISION", "value": "09334efbb6c61f55a88d14c38e6610ad5981edd6" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:on-pr-09334efbb6c61f55a88d14c38e6610ad5981edd6.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "5d" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=09334efbb6c61f55a88d14c38e6610ad5981edd6", "build.appstudio.redhat.com/commit_sha": "09334efbb6c61f55a88d14c38e6610ad5981edd6", "build.appstudio.redhat.com/pull_request_number": "234", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=21", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "72998361450", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zytbzf", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-pull-request-lg7wn", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "234", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhads-tsf-ci[bot]", "pipelinesascode.tekton.dev/sha": "09334efbb6c61f55a88d14c38e6610ad5981edd6", "pipelinesascode.tekton.dev/sha-title": "RHADS-TSF-CI update tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/09334efbb6c61f55a88d14c38e6610ad5981edd6", "pipelinesascode.tekton.dev/source-branch": "konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/643664c6-a731-47e2-a024-005d4e1246b1/records/3d6cb246-6541-4c7d-aa8b-0e52e4070c1a", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"09334efbb6c61f55a88d14c38e6610ad5981edd6\",\"eventType\":\"pull_request\",\"pull_request-id\":234}", "results.tekton.dev/result": "default-tenant/results/643664c6-a731-47e2-a024-005d4e1246b1", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "test.appstudio.openshift.io/pr-group": "konflux-tsf-demo-comp", "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed" }, "creationTimestamp": "2026-04-25T08:39:11Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "72998361450", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "234", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "09334efbb6c61f55a88d14c38e6610ad5981edd6", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-pull-request-lg7wn", "tekton.dev/pipelineRun": "tsf-demo-comp-on-pull-request-lg7wn", "tekton.dev/pipelineRunUID": "643664c6-a731-47e2-a024-005d4e1246b1", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "e5069fd5afbb0dd2d302e33fb7e375be47613ee02b0ea3b06542f7ea04bca2" }, "name": "tsf-demo-comp-on-pull-request-lg7wn-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-pull-request-lg7wn", "uid": "643664c6-a731-47e2-a024-005d4e1246b1" } ], "resourceVersion": "40823", "uid": "3d6cb246-6541-4c7d-aa8b-0e52e4070c1a" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:19Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:19Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-pull-request-lg7wn-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "startTime": "2026-04-25T08:39:11Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:2d1039b614888ca46d5d771ca886a5843e56ac9acf7210040a61075371338247", "name": "init", "terminated": { "containerID": "cri-o://b90cd60962e04a7e0eacacb14c308f528223fed911c3137be844f5ca57368fb0", "exitCode": 0, "finishedAt": "2026-04-25T08:39:18Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:18Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=571f11b89874440788bfa2b3c902cecc1b96d3ff", "build.appstudio.redhat.com/commit_sha": "571f11b89874440788bfa2b3c902cecc1b96d3ff", "build.appstudio.redhat.com/pull_request_number": "233", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "72998159535", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kxdugz", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-pull-request-xxq9z", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "233", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhads-tsf-ci[bot]", "pipelinesascode.tekton.dev/sha": "571f11b89874440788bfa2b3c902cecc1b96d3ff", "pipelinesascode.tekton.dev/sha-title": "RHADS-TSF-CI update tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/571f11b89874440788bfa2b3c902cecc1b96d3ff", "pipelinesascode.tekton.dev/source-branch": "konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c4f4fe74-5770-4f52-a76b-89cf3e4ff62c/records/2297abaa-7c38-41f6-bffd-572fa5e7a814", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"571f11b89874440788bfa2b3c902cecc1b96d3ff\",\"eventType\":\"pull_request\",\"pull_request-id\":233}", "results.tekton.dev/result": "default-tenant/results/c4f4fe74-5770-4f52-a76b-89cf3e4ff62c", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "test.appstudio.openshift.io/pr-group": "konflux-tsf-demo-comp", "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed" }, "creationTimestamp": "2026-04-25T08:34:35Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "72998159535", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "233", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "571f11b89874440788bfa2b3c902cecc1b96d3ff", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-pull-request-xxq9z", "tekton.dev/pipelineRun": "tsf-demo-comp-on-pull-request-xxq9z", "tekton.dev/pipelineRunUID": "c4f4fe74-5770-4f52-a76b-89cf3e4ff62c", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "e5069fd5afbb0dd2d302e33fb7e375be47613ee02b0ea3b06542f7ea04bca2" }, "name": "tsf-demo-comp-on-pull-request-xxq9z-clone-repository", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-pull-request-xxq9z", "uid": "c4f4fe74-5770-4f52-a76b-89cf3e4ff62c" } ], "resourceVersion": "36691", "uid": "2297abaa-7c38-41f6-bffd-572fa5e7a814" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "revision", "value": "571f11b89874440788bfa2b3c902cecc1b96d3ff" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:on-pr-571f11b89874440788bfa2b3c902cecc1b96d3ff.git" }, { "name": "ociArtifactExpiresAfter", "value": "5d" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "status": "TaskRunCancelled", "statusMessage": "TaskRun cancelled as the PipelineRun it belongs to has been cancelled.", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-kxdugz" } } ] }, "status": { "completionTime": "2026-04-25T08:34:38Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:34:38Z", "message": "TaskRun \"tsf-demo-comp-on-pull-request-xxq9z-clone-repository\" was cancelled. TaskRun cancelled as the PipelineRun it belongs to has been cancelled.", "reason": "TaskRunCancelled", "status": "False", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-pull-request-xxq9z-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "startTime": "2026-04-25T08:34:35Z", "steps": [ { "container": "step-clone", "name": "clone", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T08:34:38Z", "message": "Step clone terminated as pod tsf-demo-comp-on-pull-request-xxq9z-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T08:34:35Z" }, "terminationReason": "TaskRunCancelled" }, { "container": "step-symlink-check", "name": "symlink-check", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T08:34:38Z", "message": "Step symlink-check terminated as pod tsf-demo-comp-on-pull-request-xxq9z-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T08:34:35Z" }, "terminationReason": "TaskRunCancelled" }, { "container": "step-create-trusted-artifact", "name": "create-trusted-artifact", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T08:34:38Z", "message": "Step create-trusted-artifact terminated as pod tsf-demo-comp-on-pull-request-xxq9z-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T08:34:35Z" }, "terminationReason": "TaskRunCancelled" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "PARAM_REVISION", "value": "571f11b89874440788bfa2b3c902cecc1b96d3ff" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:on-pr-571f11b89874440788bfa2b3c902cecc1b96d3ff.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "5d" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=571f11b89874440788bfa2b3c902cecc1b96d3ff", "build.appstudio.redhat.com/commit_sha": "571f11b89874440788bfa2b3c902cecc1b96d3ff", "build.appstudio.redhat.com/pull_request_number": "233", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=2", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "72998159535", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-kxdugz", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-pull-request-xxq9z", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "233", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhads-tsf-ci[bot]", "pipelinesascode.tekton.dev/sha": "571f11b89874440788bfa2b3c902cecc1b96d3ff", "pipelinesascode.tekton.dev/sha-title": "RHADS-TSF-CI update tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/571f11b89874440788bfa2b3c902cecc1b96d3ff", "pipelinesascode.tekton.dev/source-branch": "konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c4f4fe74-5770-4f52-a76b-89cf3e4ff62c/records/b5a01e29-e0b8-4f6c-810e-c1161f943481", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"571f11b89874440788bfa2b3c902cecc1b96d3ff\",\"eventType\":\"pull_request\",\"pull_request-id\":233}", "results.tekton.dev/result": "default-tenant/results/c4f4fe74-5770-4f52-a76b-89cf3e4ff62c", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "test.appstudio.openshift.io/pr-group": "konflux-tsf-demo-comp", "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed" }, "creationTimestamp": "2026-04-25T08:34:30Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "72998159535", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "233", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "571f11b89874440788bfa2b3c902cecc1b96d3ff", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-pull-request-xxq9z", "tekton.dev/pipelineRun": "tsf-demo-comp-on-pull-request-xxq9z", "tekton.dev/pipelineRunUID": "c4f4fe74-5770-4f52-a76b-89cf3e4ff62c", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "e5069fd5afbb0dd2d302e33fb7e375be47613ee02b0ea3b06542f7ea04bca2" }, "name": "tsf-demo-comp-on-pull-request-xxq9z-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-pull-request-xxq9z", "uid": "c4f4fe74-5770-4f52-a76b-89cf3e4ff62c" } ], "resourceVersion": "36609", "uid": "b5a01e29-e0b8-4f6c-810e-c1161f943481" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:34:34Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:34:34Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-pull-request-xxq9z-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "startTime": "2026-04-25T08:34:31Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:2d1039b614888ca46d5d771ca886a5843e56ac9acf7210040a61075371338247", "name": "init", "terminated": { "containerID": "cri-o://a12ce68bb92270fb29bfef5ce30b1dc0b82c5f9f5578de5c593993ce12187f4f", "exitCode": 0, "finishedAt": "2026-04-25T08:34:33Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:33Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=46", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/fae4a446-710f-459e-824c-2b90afa01e31", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:40:15Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min" }, "name": "tsf-demo-comp-on-push-4l278-build-container", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "43803", "uid": "fae4a446-710f-459e-824c-2b90afa01e31" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:16Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:5c7f720cf9e74755fb4f129c5ae707d2d8e1cc1a51db816852fe15d452384a2c" } ], "startTime": "2026-04-25T08:40:15Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://08ddc86f00eda48a7d53f848cbb6fc96a527e939020e2f40d2c865a8e7377f79", "exitCode": 0, "finishedAt": "2026-04-25T08:40:20Z", "reason": "Completed", "startedAt": "2026-04-25T08:40:20Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://136e52d0a2e2051cc01d1350e96c1becc99edd69f658b084eadc2474d28a0191", "exitCode": 0, "finishedAt": "2026-04-25T08:41:47Z", "reason": "Completed", "startedAt": "2026-04-25T08:40:20Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "terminated": { "containerID": "cri-o://062af8609862b9a55b57b2c00cbb0c0500ed3b64609d5d8b556d8296b3a5d1ff", "exitCode": 0, "finishedAt": "2026-04-25T08:42:03Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:41:47Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "sbom-syft-generate", "terminated": { "containerID": "cri-o://70b66ff94ee8b9e17466f5a37d1b07f3ff7d89107e9167d126393c9b18410690", "exitCode": 0, "finishedAt": "2026-04-25T08:42:46Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:42:04Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "terminated": { "containerID": "cri-o://a597ab2aebb021980d127737418377f4560f5ac67ec6e394a8f9a2e9f43b3299", "exitCode": 0, "finishedAt": "2026-04-25T08:43:08Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:42:46Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "terminated": { "containerID": "cri-o://7d6469e4c3b772f7646bf1a9aad6e07d4b0eac3b4ad40c8fc4d72a9ddeb233a0", "exitCode": 0, "finishedAt": "2026-04-25T08:43:16Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:5c7f720cf9e74755fb4f129c5ae707d2d8e1cc1a51db816852fe15d452384a2c\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:09Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "tsf-demo-comp-on-push-4l278-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push sbom image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=49", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/4e6d7abf-27d6-4039-9490-bebcadeae0ec", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:43:17Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min" }, "name": "tsf-demo-comp-on-push-4l278-build-image-index", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "44124", "uid": "4e6d7abf-27d6-4039-9490-bebcadeae0ec" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "COMMIT_SHA", "value": "f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.2@sha256:79b412747e07caf80cace222ef8ee7e7955676f7928b893ed39c107f4ec62bf3" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:22Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:22Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "79b412747e07caf80cace222ef8ee7e7955676f7928b893ed39c107f4ec62bf3" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" } ], "startTime": "2026-04-25T08:43:17Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://834b6d8be6b4ad0c58de5d115f6d293c9a9cd0b6cd4814cb3ed6a30def8f278e", "exitCode": 0, "finishedAt": "2026-04-25T08:43:21Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:21Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "create-sbom", "terminated": { "containerID": "cri-o://5cf35f41ad47ec4e121cb22de32f34fb2db97526806f53a8332ef59ff41754a6", "exitCode": 0, "finishedAt": "2026-04-25T08:43:21Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:21Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "terminated": { "containerID": "cri-o://6ce322a8c61c51b13dc2d7b8d01b090f3b7fb2089584d415bcbf0eefa7bc0c76", "exitCode": 0, "finishedAt": "2026-04-25T08:43:21Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:21Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "The commit the image is built from.", "name": "COMMIT_SHA", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "", "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "COMMIT_SHA", "value": "f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043@sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n TOADD=\"$i\"\n TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n #format is repository:tag@sha256:digest\n #we need to remove the tag, and just reference the digest\n #as tag + digest is not supported\n TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n fi\n if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation. Returning results for $TOADD.\"\n echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n exit 0\n fi\n\n echo \"Adding $TOADD\"\n buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n echo \"This will cause digest changes and break SBOM accessibility.\"\n echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://$IMAGE\"\nthen\n echo \"Failed to push image ${IMAGE} to registry\"\n exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:tsf-demo-comp-on-push-4l278-build-image-index\"\nthen\n echo \"Failed to push image ${IMAGE%:*}:tsf-demo-comp-on-push-4l278-build-image-index to registry\"\n exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n echo -n \"${IMAGE}@\"\n cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=63", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/a3f1ac49-8eb1-4aff-b78a-533954114ce0", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:43:22Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan-min" }, "name": "tsf-demo-comp-on-push-4l278-clair-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "45632", "uid": "a3f1ac49-8eb1-4aff-b78a-533954114ce0" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "clair-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan-min:0.3@sha256:c117d0fd0b5413b5addb014027f06b1ea2c39c8e962876810c40c7baf5b54e72" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:44:32Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:44:32Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c117d0fd0b5413b5addb014027f06b1ea2c39c8e962876810c40c7baf5b54e72" }, "entryPoint": "clair-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\", \"digests\": [\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\":\"sha256:8cfc98071a17b070f935165ef0e1f9cf1e9ab158c7ec1996005ab2162c602d36\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":12,\"medium\":187,\"low\":285,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:44:30+00:00\",\"note\":\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:43:22Z", "steps": [ { "container": "step-get-image-manifests", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "get-image-manifests", "terminated": { "containerID": "cri-o://28fcec04ddade3073c2c2a9c97712dd2e4e258d5eb7e9897203816f34bb22282", "exitCode": 0, "finishedAt": "2026-04-25T08:43:32Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:27Z" }, "terminationReason": "Completed" }, { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:b72729ad74202d2ec5d306f20602a74edc489060f39063d60d1ce7c6583b6bac", "name": "get-vulnerabilities", "terminated": { "containerID": "cri-o://9ecb14caa7de75338077bbb333b6a7f418f2a5206aa2a32e7ea1dc17aa8fbe41", "exitCode": 0, "finishedAt": "2026-04-25T08:44:21Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:33Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "terminated": { "containerID": "cri-o://48855b35fe898ef7c07d8f36700246cad3c90c418873c107bdca5047fdd1b142", "exitCode": 0, "finishedAt": "2026-04-25T08:44:24Z", "reason": "Completed", "startedAt": "2026-04-25T08:44:21Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "conftest-vulnerabilities", "terminated": { "containerID": "cri-o://d7fc8171ae3ce2b0c21d1745a8f44aaff03ca41fdea7f3648740b498b0437487", "exitCode": 0, "finishedAt": "2026-04-25T08:44:31Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\\\", \\\"digests\\\": [\\\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\\\":\\\"sha256:8cfc98071a17b070f935165ef0e1f9cf1e9ab158c7ec1996005ab2162c602d36\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":12,\\\"medium\\\":187,\\\"low\\\":285,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:44:30+00:00\\\",\\\"note\\\":\\\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:44:24Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "RETRY_COUNT", "value": "5" } ], "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$IMAGE_URL\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$IMAGE_URL\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --docker-config-dir=/tmp/auth --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan-min failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=79", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/07eb8d24-0245-4895-ba47-1ff7fa40f31d", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux" }, "creationTimestamp": "2026-04-25T08:43:22Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min" }, "name": "tsf-demo-comp-on-push-4l278-clamav-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "47657", "uid": "07eb8d24-0245-4895-ba47-1ff7fa40f31d" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:46:59Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:46:59Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\", \"digests\": [\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777106815\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "startTime": "2026-04-25T08:43:22Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:0d229662067b3127c16fc1d87a22743f21cb3f5d4fd18eafc462b99cfc6efefa", "name": "extract-and-scan-image", "terminated": { "containerID": "cri-o://7593470d1b424eb018447de1dc7bf10747529a7972a1b1cd17c8e742393d9751", "exitCode": 0, "finishedAt": "2026-04-25T08:46:55Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\\\", \\\"digests\\\": [\\\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106815\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:27Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "terminated": { "containerID": "cri-o://b417e0c0b2db716ee79a0effc9f50c9c8e3236d1ceb6471a5784aa66b7a06336", "exitCode": 0, "finishedAt": "2026-04-25T08:46:58Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\\\", \\\"digests\\\": [\\\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106815\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:46:55Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=30", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/2ed318fb-6b09-4437-a7da-cbcb953f7a61", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "creationTimestamp": "2026-04-25T08:39:33Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min" }, "name": "tsf-demo-comp-on-push-4l278-clone-repository", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "41381", "uid": "2ed318fb-6b09-4437-a7da-cbcb953f7a61" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "revision", "value": "f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043.git" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-wjhlte" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:41Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:41Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "commit", "type": "string", "value": "f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "commit-timestamp", "type": "string", "value": "1777106356" }, { "name": "short-commit", "type": "string", "value": "f531195" }, { "name": "url", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f" } ], "startTime": "2026-04-25T08:39:33Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "terminated": { "containerID": "cri-o://390950689f6a874353e0284da5f7f24405d3f57f7815055c264cb8d0a9b6a4af", "exitCode": 0, "finishedAt": "2026-04-25T08:39:38Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106356\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"f531195\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:38Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "terminated": { "containerID": "cri-o://7ddd66e7e101136615304d8b3e09b7430a33962ba6632c486e8b2cc044526a51", "exitCode": 0, "finishedAt": "2026-04-25T08:39:39Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106356\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"f531195\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:39Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://6275089246ced8a4af987ae5d26c0ae40fadb5a56d3b604e3fbc179b759a1188", "exitCode": 0, "finishedAt": "2026-04-25T08:39:41Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f\",\"type\":1},{\"key\":\"commit\",\"value\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106356\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"f531195\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:39Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "PARAM_REVISION", "value": "f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=52", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/ca39351a-2392-4bc0-b0b4-fca114cae3bd", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:43:22Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check" }, "name": "tsf-demo-comp-on-push-4l278-deprecated-base-image-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "44747", "uid": "ca39351a-2392-4bc0-b0b4-fca114cae3bd" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:35Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:35Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-deprecated-base-image-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\", \"digests\": [\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:43:34+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:43:22Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "terminated": { "containerID": "cri-o://ef02bcaf8e3af0eb82e725638ec86ec977e3ca72bb737ea22caa984c62030166", "exitCode": 0, "finishedAt": "2026-04-25T08:43:34Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\\\", \\\"digests\\\": [\\\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:43:34+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:27Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=28", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/2a7edb85-ffc4-4067-a4ef-5003a4f68d5c", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:39:28Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "tsf-demo-comp-on-push-4l278-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "41345", "uid": "2a7edb85-ffc4-4067-a4ef-5003a4f68d5c" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:33Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:33Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "startTime": "2026-04-25T08:39:28Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:2d1039b614888ca46d5d771ca886a5843e56ac9acf7210040a61075371338247", "name": "init", "terminated": { "containerID": "cri-o://4733091354a99410ba4a971a703aecdcad7b016fe169712bed60295814497ad2", "exitCode": 0, "finishedAt": "2026-04-25T08:39:32Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:32Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=32", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/5140144c-d068-4e61-a498-8ceabf0ac381", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:39:41Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min" }, "name": "tsf-demo-comp-on-push-4l278-prefetch-dependencies", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "41760", "uid": "5140144c-d068-4e61-a498-8ceabf0ac381" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-wjhlte" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:40:15Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:40:15Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f" } ], "startTime": "2026-04-25T08:39:41Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "terminated": { "containerID": "cri-o://0ea8962657a269333875c4b0e8576aea82b28dc3c373e11ac95aed50e33b5844", "exitCode": 0, "finishedAt": "2026-04-25T08:39:47Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:47Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://deca36c1d5c8d15bbb745a8a77c98ea6863ef473eaecdc7f7699bce43bd1aa19", "exitCode": 0, "finishedAt": "2026-04-25T08:39:48Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:47Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:0101888c066cc428dbbe87f91752e6208cdfdce5e68f6d7b1a773ec281870784", "name": "prefetch-dependencies", "terminated": { "containerID": "cri-o://9c73290d88803218f8727e7bbb745c2a0a826af71ac7524c810b689946e649dc", "exitCode": 0, "finishedAt": "2026-04-25T08:40:13Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:48Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://99ce95f4d20a6d8998856554038b9e1684b14db8535707a2bd461b3ecdf978f6", "exitCode": 0, "finishedAt": "2026-04-25T08:40:14Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:40:14Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILE", "value": "/var/workdir/cachi2/cachi2.env" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" } ], "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=57", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/882b51e6-13a6-4def-a2bd-1a4f78998192", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-04-25T08:43:22Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "tsf-demo-comp-on-push-4l278-rpms-signature-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "44547", "uid": "882b51e6-13a6-4def-a2bd-1a4f78998192" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "image-digest", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:44Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:44Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-rpms-signature-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\", \"digests\": [\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 183, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:43:43+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:43:23Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "terminated": { "containerID": "cri-o://08b4b59c845a48a99be5161b18eb7dc063db61c134308ca721e1bf43d38d3093", "exitCode": 0, "finishedAt": "2026-04-25T08:43:43Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:29Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "terminated": { "containerID": "cri-o://68f0e4473caa8fc00118a077a3658d6f3cf7c3a9952ad375cf2f5d8e731ca57d", "exitCode": 0, "finishedAt": "2026-04-25T08:43:44Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\\\", \\\"digests\\\": [\\\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 183, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:43:43+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:43Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=53", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/6e04f314-1282-4665-8914-06e609cf503f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:43:22Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min" }, "name": "tsf-demo-comp-on-push-4l278-sast-shell-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "44463", "uid": "6e04f314-1282-4665-8914-06e609cf503f" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:35Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:35Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:43:32+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:43:23Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://8df7950f17a01adbfec3aa6d77cdbeb8f03b4b5e5aaa3f2a62ff6c3c6b2507f0", "exitCode": 0, "finishedAt": "2026-04-25T08:43:27Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:27Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "terminated": { "containerID": "cri-o://590fd3949059e6c56759cff2325431fb9c9df9ecb3b8a61bca0c2d038d254b0e", "exitCode": 0, "finishedAt": "2026-04-25T08:43:32Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:43:32+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:28Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "terminated": { "containerID": "cri-o://933730f441e4fe49553f2767723b2798d1f5b39b45ffd1061fc216645c68262a", "exitCode": 0, "finishedAt": "2026-04-25T08:43:34Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:43:32+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:33Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=54", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/cb73ae73-87ed-4c25-9d40-a54fca361187", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:43:22Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min" }, "name": "tsf-demo-comp-on-push-4l278-sast-unicode-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "44543", "uid": "cb73ae73-87ed-4c25-9d40-a54fca361187" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:36Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:36Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-sast-unicode-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:43:34+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:43:23Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://7044c1cdbe0394e663a9de53955f503ae661426833367570259da7e48b7ad606", "exitCode": 0, "finishedAt": "2026-04-25T08:43:33Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:33Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-unicode-check", "terminated": { "containerID": "cri-o://b330da37652def908bdbb78d2e11e400961fe2254365b61ce8552de9af6116ae", "exitCode": 0, "finishedAt": "2026-04-25T08:43:34Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:43:34+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:34Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "terminated": { "containerID": "cri-o://392ef39076d2aab005e8e699f3c94b0c26799e742067739ff8a0dec3f97ca7f1", "exitCode": 0, "finishedAt": "2026-04-25T08:43:35Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:43:34+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:34Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aa9b40d372958e87dcf348be01cd2d935951e7bc0cf66da3198aa1faca3d282f=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/commit_sha": "f531195f8270badfde86d3c2463affa6ca989043", "build.appstudio.redhat.com/target_branch": "base-vbzktl", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=58", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vbzktl", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-wjhlte", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-4l278", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vbzktl\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #234 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vbzktl", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a/records/ad30eaf9-3ee2-430e-8c31-640b043863c6", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"f531195f8270badfde86d3c2463affa6ca989043\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/f3d6bbf8-2f2c-42fc-847d-77690113687a", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:43:22Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998372575", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "f531195f8270badfde86d3c2463affa6ca989043", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-4l278", "tekton.dev/pipelineRunUID": "f3d6bbf8-2f2c-42fc-847d-77690113687a", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan" }, "name": "tsf-demo-comp-on-push-4l278-tpa-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-4l278", "uid": "f3d6bbf8-2f2c-42fc-847d-77690113687a" } ], "resourceVersion": "44878", "uid": "ad30eaf9-3ee2-430e-8c31-640b043863c6" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:43:49Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:43:49Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-4l278-tpa-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\", \"digests\": [\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\":\"sha256:295dec43ab59377a1bd34e100bfca01f637db097a7dc45bfd7a2ced7830fd4ee\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":6,\"high\":159,\"medium\":211,\"low\":20,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:43:48+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:43:24Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "terminated": { "containerID": "cri-o://c3cdd0603cf9b0c2351ea3128fb7f0c381888093bb20e69778216404df0591b6", "exitCode": 0, "finishedAt": "2026-04-25T08:43:32Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:29Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "terminated": { "containerID": "cri-o://2cd5ec4ee41766c62b77a9b6bd130aef0e6eb23c53c4494e7059dc1261303ef5", "exitCode": 0, "finishedAt": "2026-04-25T08:43:35Z", "reason": "Completed", "startedAt": "2026-04-25T08:43:32Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "terminated": { "containerID": "cri-o://5e853d05c2bd9140caca1ccaccceb4fe869125efb1683a1dc65102fd7d1cef44", "exitCode": 0, "finishedAt": "2026-04-25T08:43:48Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043\\\", \\\"digests\\\": [\\\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67\\\":\\\"sha256:295dec43ab59377a1bd34e100bfca01f637db097a7dc45bfd7a2ced7830fd4ee\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":6,\\\"high\\\":159,\\\"medium\\\":211,\\\"low\\\":20,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:43:48+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:43:35Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" }, { "name": "IMAGE_DIGEST", "value": "sha256:b956e8ee7d8fc5ba5e28340c01bd4a658536edcac7aa36116edfd653e265ec67" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:f531195f8270badfde86d3c2463affa6ca989043" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=17", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/f154e543-3b42-455c-a077-05e58fca9530", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:35:25Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min" }, "name": "tsf-demo-comp-on-push-8flps-build-container", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "39772", "uid": "f154e543-3b42-455c-a077-05e58fca9530" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:38:00Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:38:00Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:53ee3fee58a4d41f7b9fe84a6cdf844b9899678c1469b8f21aed7856edcf57b8" } ], "startTime": "2026-04-25T08:35:25Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://744c3eac422622ab4ae71bbeb52836648b5d398d4f35ae19f6507a6de7273f71", "exitCode": 0, "finishedAt": "2026-04-25T08:35:53Z", "reason": "Completed", "startedAt": "2026-04-25T08:35:53Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://6da54b609cb49f155b002bf4cc7c5a0451f5556b49966dad25a2eb8f1bfce3c8", "exitCode": 0, "finishedAt": "2026-04-25T08:36:35Z", "reason": "Completed", "startedAt": "2026-04-25T08:35:54Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "terminated": { "containerID": "cri-o://4b3346cbaafd15a8c1475a6898cdac4781e27b90ae1665c650e55316c8cfac6d", "exitCode": 0, "finishedAt": "2026-04-25T08:36:49Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:36:35Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "sbom-syft-generate", "terminated": { "containerID": "cri-o://d3e67a606e5e1cb1061afc8011fb80a30d46a38a21b58f8ea37ab4f495fa843b", "exitCode": 0, "finishedAt": "2026-04-25T08:37:29Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:36:50Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "terminated": { "containerID": "cri-o://ec10b09d633cc0e649d9adbcff1c517fa8898a03c86d9a6def0f4ef84d44ed74", "exitCode": 0, "finishedAt": "2026-04-25T08:37:51Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:37:29Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "terminated": { "containerID": "cri-o://9042997aa2ef42daf71d184e04af373ab65bc63f78c796393d8fe8fbdd51d496", "exitCode": 0, "finishedAt": "2026-04-25T08:37:59Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:53ee3fee58a4d41f7b9fe84a6cdf844b9899678c1469b8f21aed7856edcf57b8\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:37:52Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "tsf-demo-comp-on-push-8flps-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push sbom image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=20", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/62edd3ab-58ae-4e90-83b4-984c84bf843f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:38:00Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min" }, "name": "tsf-demo-comp-on-push-8flps-build-image-index", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "39784", "uid": "62edd3ab-58ae-4e90-83b4-984c84bf843f" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "COMMIT_SHA", "value": "d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.2@sha256:79b412747e07caf80cace222ef8ee7e7955676f7928b893ed39c107f4ec62bf3" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:38:06Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:38:06Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "79b412747e07caf80cace222ef8ee7e7955676f7928b893ed39c107f4ec62bf3" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" } ], "startTime": "2026-04-25T08:38:00Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://d7ebd2d574a49674d3fa31219928e640ddd5c0d2d254563d2b3903a4749462ba", "exitCode": 0, "finishedAt": "2026-04-25T08:38:05Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:38:05Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "create-sbom", "terminated": { "containerID": "cri-o://c4a6a4b2bb51f0badc0e1dd3a7ee2e2fd6250878b018b9119ba6f8b4e3586bdb", "exitCode": 0, "finishedAt": "2026-04-25T08:38:05Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:38:05Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "terminated": { "containerID": "cri-o://9e75e0e44451f1d8863c0dc4cb3f033da93db8dd0ec65ce7d43dff7afea6ea2d", "exitCode": 0, "finishedAt": "2026-04-25T08:38:05Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:38:05Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "The commit the image is built from.", "name": "COMMIT_SHA", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "", "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "COMMIT_SHA", "value": "d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43@sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n TOADD=\"$i\"\n TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n #format is repository:tag@sha256:digest\n #we need to remove the tag, and just reference the digest\n #as tag + digest is not supported\n TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n fi\n if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation. Returning results for $TOADD.\"\n echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n exit 0\n fi\n\n echo \"Adding $TOADD\"\n buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n echo \"This will cause digest changes and break SBOM accessibility.\"\n echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://$IMAGE\"\nthen\n echo \"Failed to push image ${IMAGE} to registry\"\n exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:tsf-demo-comp-on-push-8flps-build-image-index\"\nthen\n echo \"Failed to push image ${IMAGE%:*}:tsf-demo-comp-on-push-8flps-build-image-index to registry\"\n exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n echo -n \"${IMAGE}@\"\n cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=36", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/f6991477-3095-487b-8fc7-d47220d0897f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:38:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan-min" }, "name": "tsf-demo-comp-on-push-8flps-clair-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "42877", "uid": "f6991477-3095-487b-8fc7-d47220d0897f" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "clair-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan-min:0.3@sha256:c117d0fd0b5413b5addb014027f06b1ea2c39c8e962876810c40c7baf5b54e72" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:42:23Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:42:23Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c117d0fd0b5413b5addb014027f06b1ea2c39c8e962876810c40c7baf5b54e72" }, "entryPoint": "clair-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\", \"digests\": [\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\":\"sha256:807763e31cdc534b6aa0783a7c71d7d2f94960b70466bc6e5efffad41e9308c8\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":12,\"medium\":187,\"low\":285,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:42:22+00:00\",\"note\":\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:38:06Z", "steps": [ { "container": "step-get-image-manifests", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "get-image-manifests", "terminated": { "containerID": "cri-o://e0e7ab1a8673f9b84213172395fe6e04f86d0d4ba823cb654b02057071c9fefe", "exitCode": 0, "finishedAt": "2026-04-25T08:40:15Z", "reason": "Completed", "startedAt": "2026-04-25T08:40:09Z" }, "terminationReason": "Completed" }, { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:b72729ad74202d2ec5d306f20602a74edc489060f39063d60d1ce7c6583b6bac", "name": "get-vulnerabilities", "terminated": { "containerID": "cri-o://a78ce373b1d11d1b006d241c5c1107e253cad599a4fc155ef5b60a5901cc3c95", "exitCode": 0, "finishedAt": "2026-04-25T08:42:11Z", "reason": "Completed", "startedAt": "2026-04-25T08:40:15Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "terminated": { "containerID": "cri-o://0e49a16074a7c02c810becdcbde42514f7b67bfc5f36b4dfe90ab65bd8ee8d85", "exitCode": 0, "finishedAt": "2026-04-25T08:42:15Z", "reason": "Completed", "startedAt": "2026-04-25T08:42:11Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "conftest-vulnerabilities", "terminated": { "containerID": "cri-o://8a945a0763781052c84eeb0d2ba2a3c254ba63305cb355fbf929ce1cf7c9fcda", "exitCode": 0, "finishedAt": "2026-04-25T08:42:22Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\\\", \\\"digests\\\": [\\\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\\\":\\\"sha256:807763e31cdc534b6aa0783a7c71d7d2f94960b70466bc6e5efffad41e9308c8\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":12,\\\"medium\\\":187,\\\"low\\\":285,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:42:22+00:00\\\",\\\"note\\\":\\\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:42:16Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "RETRY_COUNT", "value": "5" } ], "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$IMAGE_URL\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$IMAGE_URL\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --docker-config-dir=/tmp/auth --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan-min failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=38", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/7baa9571-982a-4f08-9a79-b29b03e20005", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux" }, "creationTimestamp": "2026-04-25T08:38:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min" }, "name": "tsf-demo-comp-on-push-8flps-clamav-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "43198", "uid": "7baa9571-982a-4f08-9a79-b29b03e20005" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:42:56Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:42:56Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\", \"digests\": [\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777106573\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "startTime": "2026-04-25T08:38:06Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:0d229662067b3127c16fc1d87a22743f21cb3f5d4fd18eafc462b99cfc6efefa", "name": "extract-and-scan-image", "terminated": { "containerID": "cri-o://cec2a9850ed464cca253fc4a88923d960903c93c34e60599daa99cd010a4f293", "exitCode": 0, "finishedAt": "2026-04-25T08:42:53Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\\\", \\\"digests\\\": [\\\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106573\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:16Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "terminated": { "containerID": "cri-o://decf58e33e45beb57c6849a606c3a7234c89cb7a6da388e2b14c3eac943c2041", "exitCode": 0, "finishedAt": "2026-04-25T08:42:55Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\\\", \\\"digests\\\": [\\\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106573\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:42:53Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=5", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/3f58a8c4-e893-4a29-8318-4ce497e2b706", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "creationTimestamp": "2026-04-25T08:34:47Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min" }, "name": "tsf-demo-comp-on-push-8flps-clone-repository", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "37168", "uid": "3f58a8c4-e893-4a29-8318-4ce497e2b706" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "revision", "value": "d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43.git" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-jzlwrc" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:34:55Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:34:55Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "commit", "type": "string", "value": "d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "commit-timestamp", "type": "string", "value": "1777106072" }, { "name": "short-commit", "type": "string", "value": "d8a3550" }, { "name": "url", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804" } ], "startTime": "2026-04-25T08:34:47Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "terminated": { "containerID": "cri-o://7c5d86e921d6fab12e34c2181d1a793c5b5723d8741991a3e82f82e095f0902d", "exitCode": 0, "finishedAt": "2026-04-25T08:34:52Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106072\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"d8a3550\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:52Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "terminated": { "containerID": "cri-o://321311abfdda7bc134021369de814c3d4c4b68e310ff6b638f8d77b1dbabe1c5", "exitCode": 0, "finishedAt": "2026-04-25T08:34:53Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106072\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"d8a3550\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:53Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://b34c3d9aac1be621edda87fb9868f44bc7b84aa354b36b9408533c4f5b214694", "exitCode": 0, "finishedAt": "2026-04-25T08:34:55Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804\",\"type\":1},{\"key\":\"commit\",\"value\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106072\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"d8a3550\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:53Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "PARAM_REVISION", "value": "d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=25", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/defecd9e-19d2-41b4-a0ea-1d7460b15838", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:38:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check" }, "name": "tsf-demo-comp-on-push-8flps-deprecated-base-image-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "41285", "uid": "defecd9e-19d2-41b4-a0ea-1d7460b15838" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:26Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:26Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-deprecated-base-image-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\", \"digests\": [\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:39:25+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:38:06Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "terminated": { "containerID": "cri-o://71e74994b49c2e8f5860c18fc8bcdfd887d4d6315474aea2c32e9a9b6ce98019", "exitCode": 0, "finishedAt": "2026-04-25T08:39:25Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\\\", \\\"digests\\\": [\\\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:25+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:17Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=3", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/c609a9ef-81eb-49eb-9c07-f6d85ff9fd95", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:34:43Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "tsf-demo-comp-on-push-8flps-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "36907", "uid": "c609a9ef-81eb-49eb-9c07-f6d85ff9fd95" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:34:46Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:34:46Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "startTime": "2026-04-25T08:34:43Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:2d1039b614888ca46d5d771ca886a5843e56ac9acf7210040a61075371338247", "name": "init", "terminated": { "containerID": "cri-o://a9ce0c4723767094c0723ee91abec620a9f829215e431c9fb8ef0e7559f70498", "exitCode": 0, "finishedAt": "2026-04-25T08:34:45Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:45Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=6", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/fc744346-6ff2-4f0b-a0a7-a28866a642be", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:34:57Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min" }, "name": "tsf-demo-comp-on-push-8flps-prefetch-dependencies", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "37546", "uid": "fc744346-6ff2-4f0b-a0a7-a28866a642be" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-jzlwrc" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:35:24Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:35:24Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804" } ], "startTime": "2026-04-25T08:34:58Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "terminated": { "containerID": "cri-o://090eab22ed7cfcca9b2f394617ca80a99ad6798cfe517037a1ea53755420c790", "exitCode": 0, "finishedAt": "2026-04-25T08:35:02Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:35:02Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://7d9f08bafd5b76f5a9d42138e34c757b8a0f267a93d549f21c147aa7f038c77b", "exitCode": 0, "finishedAt": "2026-04-25T08:35:02Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:35:02Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:0101888c066cc428dbbe87f91752e6208cdfdce5e68f6d7b1a773ec281870784", "name": "prefetch-dependencies", "terminated": { "containerID": "cri-o://029dd33da2b124ee3f54c472582394f9dd19312c04c3a6aa11d075339bdb9a1e", "exitCode": 0, "finishedAt": "2026-04-25T08:35:23Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:35:03Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://8d894d04fa5584b72487d48b898b31acd4a7688b9985e8197ebbd09fd8b471bd", "exitCode": 0, "finishedAt": "2026-04-25T08:35:24Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:35:24Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILE", "value": "/var/workdir/cachi2/cachi2.env" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" } ], "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=34", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/688de300-0414-4e37-a2cd-5d4204a85606", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-04-25T08:38:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "tsf-demo-comp-on-push-8flps-rpms-signature-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "41820", "uid": "688de300-0414-4e37-a2cd-5d4204a85606" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "image-digest", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:40:17Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:40:17Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-rpms-signature-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\", \"digests\": [\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 183, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:40:00+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:38:07Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "terminated": { "containerID": "cri-o://39878a8e062454b5c29b3d3cc5b5fd61fc6cbdf1a4043cc635eda30f13c4f9fe", "exitCode": 0, "finishedAt": "2026-04-25T08:40:00Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:44Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "terminated": { "containerID": "cri-o://c17e74a96ccf27c7772e833a397f51a7dc2f0138234a741ebca0bb16b591e55f", "exitCode": 0, "finishedAt": "2026-04-25T08:40:01Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\\\", \\\"digests\\\": [\\\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 183, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:40:00+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:40:00Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=26", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/cc228eec-d4c9-4ce1-8139-cd799ae92954", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:38:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min" }, "name": "tsf-demo-comp-on-push-8flps-sast-shell-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "41354", "uid": "cc228eec-d4c9-4ce1-8139-cd799ae92954" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:27Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:39:25+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:38:06Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://d2cde77b0859ba924fa8937823be8530a7f8b4dcce6bf1197420171a37d796cf", "exitCode": 0, "finishedAt": "2026-04-25T08:39:19Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:19Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "terminated": { "containerID": "cri-o://3c6d50e77e8b6ac808e79e0422238e34d0b787d2cd682702961257df63bf6964", "exitCode": 0, "finishedAt": "2026-04-25T08:39:25Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:25+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:20Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "terminated": { "containerID": "cri-o://ecc0ddb4027035bc3be91713100797f3f562e59c6ade9673f31c34c01d68e3bb", "exitCode": 0, "finishedAt": "2026-04-25T08:39:27Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:25+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:26Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=24", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/86713481-c891-4f03-955d-ca94bb937354", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:38:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min" }, "name": "tsf-demo-comp-on-push-8flps-sast-unicode-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "41101", "uid": "86713481-c891-4f03-955d-ca94bb937354" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:23Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:23Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-sast-unicode-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:39:20+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:38:07Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://6fc308acfb607e0b71c84cb377d9d62d62d2a0ede30e918be7f90dc2aa3fd093", "exitCode": 0, "finishedAt": "2026-04-25T08:39:19Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:19Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-unicode-check", "terminated": { "containerID": "cri-o://941801fdc6637f491eb52daf98543f67f5b3741d7801633d93aabb7d193fbc56", "exitCode": 0, "finishedAt": "2026-04-25T08:39:20Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:20Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "terminated": { "containerID": "cri-o://0255a639c4a53423a54c38dca44637b0f32c7d351ae9b72f8885c4cfb4495c8c", "exitCode": 0, "finishedAt": "2026-04-25T08:39:22Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:21Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:be2a91667d531d14468d52352d718343354fe963f14987e644f505ded8328804=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/commit_sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "build.appstudio.redhat.com/target_branch": "base-lrytgv", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=29", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-lrytgv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzlwrc", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-8flps", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-lrytgv\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #233 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-lrytgv", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25/records/5c26892d-2d4a-4c33-85b7-b04ceab67f5d", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"d8a3550152b3d095b9f67197858a8425267e1d43\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/2a51b68d-133b-4b94-88f7-1d14be67aa25", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:38:06Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998167190", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "d8a3550152b3d095b9f67197858a8425267e1d43", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-8flps", "tekton.dev/pipelineRunUID": "2a51b68d-133b-4b94-88f7-1d14be67aa25", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan" }, "name": "tsf-demo-comp-on-push-8flps-tpa-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-8flps", "uid": "2a51b68d-133b-4b94-88f7-1d14be67aa25" } ], "resourceVersion": "41511", "uid": "5c26892d-2d4a-4c33-85b7-b04ceab67f5d" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:39Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:39Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-8flps-tpa-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\", \"digests\": [\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\":\"sha256:f2f7cc9fa5367ae1b8d68e80e7063b235f8444c005777c94b7598e99f4b5a400\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":6,\"high\":159,\"medium\":211,\"low\":20,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:39:38+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:38:08Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "terminated": { "containerID": "cri-o://6dd7a87a13dfd3948b079e83f1f3dd757d795653f4bcbe9b5f9e13a5753ed20a", "exitCode": 0, "finishedAt": "2026-04-25T08:39:20Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:18Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "terminated": { "containerID": "cri-o://4ca0496a0db904798f8e839ecfc38b2bf4d726d31174fe73e79a6f2bad66d513", "exitCode": 0, "finishedAt": "2026-04-25T08:39:24Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:21Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "terminated": { "containerID": "cri-o://2d442b054d30a228dbe1a7bcb370b6dfc1dea7e4c24d5b067880f459b88f16ec", "exitCode": 0, "finishedAt": "2026-04-25T08:39:38Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43\\\", \\\"digests\\\": [\\\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150\\\":\\\"sha256:f2f7cc9fa5367ae1b8d68e80e7063b235f8444c005777c94b7598e99f4b5a400\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":6,\\\"high\\\":159,\\\"medium\\\":211,\\\"low\\\":20,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:38+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:25Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" }, { "name": "IMAGE_DIGEST", "value": "sha256:ee0b11a53e805225d2af2160d31a4f990966ce319f6ce5b14d593b1a003d8150" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:d8a3550152b3d095b9f67197858a8425267e1d43" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=11", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/088759df-f449-4143-82ac-69d6db7900f5", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:34:55Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min" }, "name": "tsf-demo-comp-on-push-mt6qk-build-container", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "39098", "uid": "088759df-f449-4143-82ac-69d6db7900f5" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:37:50Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:37:50Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aad231f98f1677709c81caa5ddbd5de666de9ecd0d076ece70a07fcd8624b45d" } ], "startTime": "2026-04-25T08:34:55Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://2b51d60ee35e6e7c3a7708731e5237882434431c53992acf96bb59ee94bb9a49", "exitCode": 0, "finishedAt": "2026-04-25T08:35:37Z", "reason": "Completed", "startedAt": "2026-04-25T08:35:37Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://3a56958d2ffd529ab9b11e7f0501accf6a3a34ec62757aafd4796203d7d4ff65", "exitCode": 0, "finishedAt": "2026-04-25T08:36:25Z", "reason": "Completed", "startedAt": "2026-04-25T08:35:38Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "terminated": { "containerID": "cri-o://ff2523d1be05f6ac180402f9a872952564a6095e1e0ddd8b909fdb66eef6b9c0", "exitCode": 0, "finishedAt": "2026-04-25T08:36:40Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:36:25Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "sbom-syft-generate", "terminated": { "containerID": "cri-o://3eafd0f82b4a7c30791db814df4c47fc9b5fd214239846b9cc6016e2526fd33c", "exitCode": 0, "finishedAt": "2026-04-25T08:37:20Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:36:41Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "terminated": { "containerID": "cri-o://05079796b01561edbb78cf2d8b743c61512854ba7aac188f309e1868d135adea", "exitCode": 0, "finishedAt": "2026-04-25T08:37:42Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:37:20Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "terminated": { "containerID": "cri-o://33e044b36c5b14f7d0cb752105415d974bee75a40777f6a6e706143b6f592d97", "exitCode": 0, "finishedAt": "2026-04-25T08:37:50Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:aad231f98f1677709c81caa5ddbd5de666de9ecd0d076ece70a07fcd8624b45d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:37:42Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "tsf-demo-comp-on-push-mt6qk-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push sbom image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=15", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/a0c84d5b-5716-468d-9481-f4e5a29c87eb", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:37:50Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min" }, "name": "tsf-demo-comp-on-push-mt6qk-build-image-index", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "39764", "uid": "a0c84d5b-5716-468d-9481-f4e5a29c87eb" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "COMMIT_SHA", "value": "c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.2@sha256:79b412747e07caf80cace222ef8ee7e7955676f7928b893ed39c107f4ec62bf3" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:37:56Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:37:56Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "79b412747e07caf80cace222ef8ee7e7955676f7928b893ed39c107f4ec62bf3" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" } ], "startTime": "2026-04-25T08:37:51Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://51742f3b7cb232ccd9c45b92dcb3439d86cf6289fb1227402ed7aa4371792b7e", "exitCode": 0, "finishedAt": "2026-04-25T08:37:55Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:37:55Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "create-sbom", "terminated": { "containerID": "cri-o://f04bf945bc30349945ffa508a730948755c07625ae79f9ce56237f2c0293a0b5", "exitCode": 0, "finishedAt": "2026-04-25T08:37:55Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:37:55Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "terminated": { "containerID": "cri-o://131f449e5d0a7e9380452233426db80288776c2b8ba855f65bc04e69b6943503", "exitCode": 0, "finishedAt": "2026-04-25T08:37:55Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:37:55Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "The commit the image is built from.", "name": "COMMIT_SHA", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "", "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "COMMIT_SHA", "value": "c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b@sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n TOADD=\"$i\"\n TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n #format is repository:tag@sha256:digest\n #we need to remove the tag, and just reference the digest\n #as tag + digest is not supported\n TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n fi\n if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation. Returning results for $TOADD.\"\n echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n exit 0\n fi\n\n echo \"Adding $TOADD\"\n buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n echo \"This will cause digest changes and break SBOM accessibility.\"\n echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://$IMAGE\"\nthen\n echo \"Failed to push image ${IMAGE} to registry\"\n exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:tsf-demo-comp-on-push-mt6qk-build-image-index\"\nthen\n echo \"Failed to push image ${IMAGE%:*}:tsf-demo-comp-on-push-mt6qk-build-image-index to registry\"\n exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n echo -n \"${IMAGE}@\"\n cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=37", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/3a72874e-cc3e-4f49-bcc8-5a4c8012406d", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:37:56Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan-min" }, "name": "tsf-demo-comp-on-push-mt6qk-clair-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "43093", "uid": "3a72874e-cc3e-4f49-bcc8-5a4c8012406d" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "clair-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan-min:0.3@sha256:c117d0fd0b5413b5addb014027f06b1ea2c39c8e962876810c40c7baf5b54e72" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:42:48Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:42:48Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c117d0fd0b5413b5addb014027f06b1ea2c39c8e962876810c40c7baf5b54e72" }, "entryPoint": "clair-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\", \"digests\": [\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\":\"sha256:d969dcd50d6352cb7cbd6cea8710d5faee1ba620cc16275b5f73a29d5e9ee44e\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":12,\"medium\":187,\"low\":285,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:42:46+00:00\",\"note\":\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:37:56Z", "steps": [ { "container": "step-get-image-manifests", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "get-image-manifests", "terminated": { "containerID": "cri-o://2e4389d9ce4d9ebe98d4d1b35cd2f3e835e67de9679681cb06b0cd4bfe01c29d", "exitCode": 0, "finishedAt": "2026-04-25T08:40:27Z", "reason": "Completed", "startedAt": "2026-04-25T08:40:21Z" }, "terminationReason": "Completed" }, { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:b72729ad74202d2ec5d306f20602a74edc489060f39063d60d1ce7c6583b6bac", "name": "get-vulnerabilities", "terminated": { "containerID": "cri-o://a1440317b8a3a93883969af3c6195fc2868a1ed1058c291a7f0cc9c9d734d6f9", "exitCode": 0, "finishedAt": "2026-04-25T08:42:35Z", "reason": "Completed", "startedAt": "2026-04-25T08:40:28Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "terminated": { "containerID": "cri-o://f76d64b1e1684e9fcdb6986a3944f52a144ad9b4c2bdda63be3c5b7cb742221f", "exitCode": 0, "finishedAt": "2026-04-25T08:42:40Z", "reason": "Completed", "startedAt": "2026-04-25T08:42:36Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "conftest-vulnerabilities", "terminated": { "containerID": "cri-o://5ace523f7e720b421b045be536e1a84ea231f31ee23c0c272c995ae554988688", "exitCode": 0, "finishedAt": "2026-04-25T08:42:47Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\\\", \\\"digests\\\": [\\\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\\\":\\\"sha256:d969dcd50d6352cb7cbd6cea8710d5faee1ba620cc16275b5f73a29d5e9ee44e\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":12,\\\"medium\\\":187,\\\"low\\\":285,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:42:46+00:00\\\",\\\"note\\\":\\\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:42:41Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "RETRY_COUNT", "value": "5" } ], "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$IMAGE_URL\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$IMAGE_URL\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --docker-config-dir=/tmp/auth --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan-min failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=39", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/1108ca81-19b5-421f-97f5-9b1282d4edd0", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux" }, "creationTimestamp": "2026-04-25T08:37:56Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min" }, "name": "tsf-demo-comp-on-push-mt6qk-clamav-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "43344", "uid": "1108ca81-19b5-421f-97f5-9b1282d4edd0" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:42:57Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:42:57Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\", \"digests\": [\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1777106573\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "startTime": "2026-04-25T08:37:56Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:0d229662067b3127c16fc1d87a22743f21cb3f5d4fd18eafc462b99cfc6efefa", "name": "extract-and-scan-image", "terminated": { "containerID": "cri-o://4b884090088c176c810d9c0f297d780c5d43e5651af9ac51b8abd332ec857000", "exitCode": 0, "finishedAt": "2026-04-25T08:42:53Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\\\", \\\"digests\\\": [\\\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106573\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:09Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "terminated": { "containerID": "cri-o://0be0cb632c8cdba6395ce096276b01d864d37687ce5fdbbcea6f394452221fe4", "exitCode": 0, "finishedAt": "2026-04-25T08:42:56Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\\\", \\\"digests\\\": [\\\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1777106573\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:42:53Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=1", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/06f742df-3fe4-4f15-b832-defd7a0ea4bc", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "creationTimestamp": "2026-04-25T08:33:57Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min" }, "name": "tsf-demo-comp-on-push-mt6qk-clone-repository", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "35985", "uid": "06f742df-3fe4-4f15-b832-defd7a0ea4bc" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "revision", "value": "c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b.git" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-dryzug" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:34:12Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:34:12Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "commit", "type": "string", "value": "c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "commit-timestamp", "type": "string", "value": "1777106022" }, { "name": "short-commit", "type": "string", "value": "c4c58d9" }, { "name": "url", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d" } ], "startTime": "2026-04-25T08:33:57Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "terminated": { "containerID": "cri-o://d4297cf8d54abde08f6f51eab6f7c705f4bcc0e63393f9d1ee715f74673cce0f", "exitCode": 0, "finishedAt": "2026-04-25T08:34:09Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106022\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"c4c58d9\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:09Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "terminated": { "containerID": "cri-o://43aae3cdd5945282b09e6f811d771d200c00ce011b1ddd7388c21752d7f67653", "exitCode": 0, "finishedAt": "2026-04-25T08:34:10Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106022\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"c4c58d9\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:10Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://e94126d1039db41ea57221d9bd9e5d99c6cb93e911d138f73fce24ee56fed87b", "exitCode": 0, "finishedAt": "2026-04-25T08:34:11Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d\",\"type\":1},{\"key\":\"commit\",\"value\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777106022\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"c4c58d9\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:10Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "PARAM_REVISION", "value": "c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=22", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/6a08bf0e-86ea-4c78-8533-97f29387b340", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:37:56Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check" }, "name": "tsf-demo-comp-on-push-mt6qk-deprecated-base-image-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "41105", "uid": "6a08bf0e-86ea-4c78-8533-97f29387b340" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:19Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:19Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-deprecated-base-image-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\", \"digests\": [\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:39:18+00:00\",\"note\":\"Task deprecated-image-check completed: Check result for task result.\",\"namespace\":\"required_checks\",\"successes\":1,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:37:56Z", "steps": [ { "container": "step-check-images", "imageID": "quay.io/konflux-ci/konflux-test@sha256:3bba1fe5ad96bd3811f34b367487192683aa9b1ba343da4885dda565b0a7207e", "name": "check-images", "terminated": { "containerID": "cri-o://59f4d85f44e673c303fee9575add9608d98522dc1c4c5ac47b33e326201630bb", "exitCode": 0, "finishedAt": "2026-04-25T08:39:18Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\\\", \\\"digests\\\": [\\\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:18+00:00\\\",\\\"note\\\":\\\"Task deprecated-image-check completed: Check result for task result.\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":1,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:08Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=0", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/c4789a6e-a852-4683-8e51-c0d9a149abfb", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:33:51Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "tsf-demo-comp-on-push-mt6qk-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "35887", "uid": "c4789a6e-a852-4683-8e51-c0d9a149abfb" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:33:57Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:33:57Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "startTime": "2026-04-25T08:33:51Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:2d1039b614888ca46d5d771ca886a5843e56ac9acf7210040a61075371338247", "name": "init", "terminated": { "containerID": "cri-o://28b402ceec451a19622e62e090f0fce96612b6caa344dfc388ee642add6f89b8", "exitCode": 0, "finishedAt": "2026-04-25T08:33:56Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:33:56Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=4", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/c9bc1b46-7b17-4e3f-ab05-26c0fc14d473", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T08:34:12Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min" }, "name": "tsf-demo-comp-on-push-mt6qk-prefetch-dependencies", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "37035", "uid": "c9bc1b46-7b17-4e3f-ab05-26c0fc14d473" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-dryzug" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:34:54Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:34:54Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d" } ], "startTime": "2026-04-25T08:34:12Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "terminated": { "containerID": "cri-o://2cb490fe33c64f8ea63af6c1d4a06f504fdd073bb8256bdd7a7627b7c5efd2a4", "exitCode": 0, "finishedAt": "2026-04-25T08:34:32Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:32Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://17c78efe9e3631c59560610f23b1f602e142b7770bc03f4e117badc0738fd6ea", "exitCode": 0, "finishedAt": "2026-04-25T08:34:32Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:32Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:0101888c066cc428dbbe87f91752e6208cdfdce5e68f6d7b1a773ec281870784", "name": "prefetch-dependencies", "terminated": { "containerID": "cri-o://22075058eb0e3e08b5672dc7bc1d94272e536aa6ef2234c96847f5c16532409c", "exitCode": 0, "finishedAt": "2026-04-25T08:34:53Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:33Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://05dabc37cfa085689e0377a5240ebaa51f29b7789a3a18cb6954408be437087c", "exitCode": 0, "finishedAt": "2026-04-25T08:34:54Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:34:54Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILE", "value": "/var/workdir/cachi2/cachi2.env" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" } ], "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=33", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/96d40f41-6557-497f-a2db-42813e3752ce", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-04-25T08:37:56Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "tsf-demo-comp-on-push-mt6qk-rpms-signature-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "41808", "uid": "96d40f41-6557-497f-a2db-42813e3752ce" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "image-digest", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:40:17Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:40:17Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-rpms-signature-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\", \"digests\": [\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 183, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:40:00+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:37:57Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "terminated": { "containerID": "cri-o://5f3a4b18a1e3040eb6846ab92722d8e94e5ccd84328d932709dc7b23fc0f1daa", "exitCode": 0, "finishedAt": "2026-04-25T08:40:00Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:43Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "terminated": { "containerID": "cri-o://fbe345fde4ad47e01a77ab27528ab9db437e7d9f20280dd5fe4d2be55c5740db", "exitCode": 0, "finishedAt": "2026-04-25T08:40:01Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\\\", \\\"digests\\\": [\\\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 183, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:40:00+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:40:00Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=27", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/4af2396a-3c09-4890-8401-0d3028e53be9", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:37:56Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min" }, "name": "tsf-demo-comp-on-push-mt6qk-sast-shell-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "41038", "uid": "4af2396a-3c09-4890-8401-0d3028e53be9" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:27Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:39:25+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:37:56Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://3993b1106244b57910e00938e36da0b266f063584f6922dd1edabc2fffa59285", "exitCode": 0, "finishedAt": "2026-04-25T08:39:19Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:19Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "terminated": { "containerID": "cri-o://661861f77a80d449036b509b8c3e5e5f625986de407e97bdea91044863f00c4b", "exitCode": 0, "finishedAt": "2026-04-25T08:39:25Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:25+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:20Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "terminated": { "containerID": "cri-o://5680b0d9b86196036b0ace3935edd145c23f8cc5d86411a1f4fc4001270aa064", "exitCode": 0, "finishedAt": "2026-04-25T08:39:26Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:25+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:25Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=23", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/57261c6b-820c-42e2-84cf-03f28631f341", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:37:56Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min" }, "name": "tsf-demo-comp-on-push-mt6qk-sast-unicode-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "41049", "uid": "57261c6b-820c-42e2-84cf-03f28631f341" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:23Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:23Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-sast-unicode-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:39:20+00:00\",\"note\":\"Task sast-unicode-check-oci-ta-min success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:37:57Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://9584d61743b25a4576b5d9b9a87e285034e11d3ac5a24951aae96a6221a59def", "exitCode": 0, "finishedAt": "2026-04-25T08:39:19Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:19Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-unicode-check", "terminated": { "containerID": "cri-o://3ed6d4b1af45c34a5970f6eb87e6891b596c73e10963e537298055a5c878bee8", "exitCode": 0, "finishedAt": "2026-04-25T08:39:20Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:20Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "terminated": { "containerID": "cri-o://bbdd986d97116c15ac4741745526a2223f3b6643e7fd195864b192e51ea5abae", "exitCode": 0, "finishedAt": "2026-04-25T08:39:22Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:20+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta-min success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:21Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:7fa988a0ed032f310e72c4fb28bb6ebc1becc261da906f1600cf2d9b64ec788d=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/commit_sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "build.appstudio.redhat.com/target_branch": "base-ztilmj", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=31", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ztilmj", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-dryzug", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-b8b19c7afc.vhnm.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-mt6qk", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ztilmj\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #232 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ztilmj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf/records/b9a6c6af-9968-48eb-adb1-7ea2d55c3ed4", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"c4c58d9f5a73ead48869e244d9df08f43841367b\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/c97fd1b8-1841-46aa-a668-347843bfafbf", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T08:37:56Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "72998131637", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "c4c58d9f5a73ead48869e244d9df08f43841367b", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-mt6qk", "tekton.dev/pipelineRunUID": "c97fd1b8-1841-46aa-a668-347843bfafbf", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan" }, "name": "tsf-demo-comp-on-push-mt6qk-tpa-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-mt6qk", "uid": "c97fd1b8-1841-46aa-a668-347843bfafbf" } ], "resourceVersion": "41484", "uid": "b9a6c6af-9968-48eb-adb1-7ea2d55c3ed4" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T08:39:42Z", "conditions": [ { "lastTransitionTime": "2026-04-25T08:39:42Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-mt6qk-tpa-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\", \"digests\": [\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\":\"sha256:5e52bf92a04fb9a730a8ed2c0345faaa58b6bc0e956a4cc50af504a618ad92ea\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":6,\"high\":159,\"medium\":211,\"low\":20,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-04-25T08:39:31+00:00\",\"note\":\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-04-25T08:37:58Z", "steps": [ { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "get-vulnerabilities", "terminated": { "containerID": "cri-o://5a14ffd33112cd9b9df6d93fc34621008156c5ed77a4d873307212e13a7e384f", "exitCode": 0, "finishedAt": "2026-04-25T08:39:12Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:09Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/task-runner@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "terminated": { "containerID": "cri-o://d886e7873bc0297e00dddf7e937fd5da889a5d44e3e381572e6ed270df533bbf", "exitCode": 0, "finishedAt": "2026-04-25T08:39:16Z", "reason": "Completed", "startedAt": "2026-04-25T08:39:12Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:aa2c97da9bb73a4e8d1c6b41950f8d902b74461be0e042debe89277fdc4ebe49", "name": "conftest-vulnerabilities", "terminated": { "containerID": "cri-o://2d83b14d62459f3285649c63d3f5ed219121828cbc638d52f6524d41998b514e", "exitCode": 0, "finishedAt": "2026-04-25T08:39:31Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b\\\", \\\"digests\\\": [\\\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a\\\":\\\"sha256:5e52bf92a04fb9a730a8ed2c0345faaa58b6bc0e956a4cc50af504a618ad92ea\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":6,\\\"high\\\":159,\\\"medium\\\":211,\\\"low\\\":20,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-04-25T08:39:31+00:00\\\",\\\"note\\\":\\\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T08:39:16Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" }, { "name": "IMAGE_DIGEST", "value": "sha256:68c2c6bf32d66c65574e91ab248bbd4ed1d5d4ec8cc6c7e7522e460a5218df4a" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:c4c58d9f5a73ead48869e244d9df08f43841367b" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } } ], "kind": "List", "metadata": { "resourceVersion": "" } }