{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dcbb8e7039052b0fb3f0735151202e743054ac78", "build.appstudio.redhat.com/commit_sha": "dcbb8e7039052b0fb3f0735151202e743054ac78", "build.appstudio.redhat.com/pull_request_number": "238", "build.appstudio.redhat.com/target_branch": "base-vytaap", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vytaap", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "73008030180", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzvowj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-pull-request-5dgmx", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-vytaap\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "238", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhads-tsf-ci[bot]", "pipelinesascode.tekton.dev/sha": "dcbb8e7039052b0fb3f0735151202e743054ac78", "pipelinesascode.tekton.dev/sha-title": "RHADS-TSF-CI update tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dcbb8e7039052b0fb3f0735151202e743054ac78", "pipelinesascode.tekton.dev/source-branch": "konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/da346956-c90d-42af-866b-7b9eff29455d/records/86dac2d4-8007-4930-a664-539c781e9474", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dcbb8e7039052b0fb3f0735151202e743054ac78\",\"eventType\":\"pull_request\",\"pull_request-id\":238}", "results.tekton.dev/result": "default-tenant/results/da346956-c90d-42af-866b-7b9eff29455d", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git", "test.appstudio.openshift.io/pr-group": "konflux-tsf-demo-comp", "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed" }, "creationTimestamp": "2026-04-25T12:20:36Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "73008030180", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "238", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dcbb8e7039052b0fb3f0735151202e743054ac78", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-pull-request-5dgmx", "tekton.dev/pipelineRun": "tsf-demo-comp-on-pull-request-5dgmx", "tekton.dev/pipelineRunUID": "da346956-c90d-42af-866b-7b9eff29455d", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min", "test.appstudio.openshift.io/pr-group-sha": "e5069fd5afbb0dd2d302e33fb7e375be47613ee02b0ea3b06542f7ea04bca2" }, "name": "tsf-demo-comp-on-pull-request-5dgmx-clone-repository", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-pull-request-5dgmx", "uid": "da346956-c90d-42af-866b-7b9eff29455d" } ], "resourceVersion": "42358", "uid": "86dac2d4-8007-4930-a664-539c781e9474" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "revision", "value": "dcbb8e7039052b0fb3f0735151202e743054ac78" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:on-pr-dcbb8e7039052b0fb3f0735151202e743054ac78.git" }, { "name": "ociArtifactExpiresAfter", "value": "5d" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "status": "TaskRunCancelled", "statusMessage": "TaskRun cancelled as the PipelineRun it belongs to has been cancelled.", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-jzvowj" } } ] }, "status": { "completionTime": "2026-04-25T12:20:37Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:20:37Z", "message": "TaskRun \"tsf-demo-comp-on-pull-request-5dgmx-clone-repository\" was cancelled. TaskRun cancelled as the PipelineRun it belongs to has been cancelled.", "reason": "TaskRunCancelled", "status": "False", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-pull-request-5dgmx-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "startTime": "2026-04-25T12:20:36Z", "steps": [ { "container": "step-clone", "name": "clone", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T12:20:37Z", "message": "Step clone terminated as pod tsf-demo-comp-on-pull-request-5dgmx-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T12:20:36Z" }, "terminationReason": "TaskRunCancelled" }, { "container": "step-symlink-check", "name": "symlink-check", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T12:20:37Z", "message": "Step symlink-check terminated as pod tsf-demo-comp-on-pull-request-5dgmx-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T12:20:36Z" }, "terminationReason": "TaskRunCancelled" }, { "container": "step-create-trusted-artifact", "name": "create-trusted-artifact", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T12:20:37Z", "message": "Step create-trusted-artifact terminated as pod tsf-demo-comp-on-pull-request-5dgmx-clone-repository-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T12:20:36Z" }, "terminationReason": "TaskRunCancelled" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "PARAM_REVISION", "value": "dcbb8e7039052b0fb3f0735151202e743054ac78" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:on-pr-dcbb8e7039052b0fb3f0735151202e743054ac78.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER", "value": "5d" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dcbb8e7039052b0fb3f0735151202e743054ac78", "build.appstudio.redhat.com/commit_sha": "dcbb8e7039052b0fb3f0735151202e743054ac78", "build.appstudio.redhat.com/pull_request_number": "238", "build.appstudio.redhat.com/target_branch": "base-vytaap", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=3", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vytaap", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "73008030180", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jzvowj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-pull-request-5dgmx", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-vytaap\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "238", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhads-tsf-ci[bot]", "pipelinesascode.tekton.dev/sha": "dcbb8e7039052b0fb3f0735151202e743054ac78", "pipelinesascode.tekton.dev/sha-title": "RHADS-TSF-CI update tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dcbb8e7039052b0fb3f0735151202e743054ac78", "pipelinesascode.tekton.dev/source-branch": "konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/da346956-c90d-42af-866b-7b9eff29455d/records/745652ac-1bdb-4804-9275-6c4293fce8bb", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dcbb8e7039052b0fb3f0735151202e743054ac78\",\"eventType\":\"pull_request\",\"pull_request-id\":238}", "results.tekton.dev/result": "default-tenant/results/da346956-c90d-42af-866b-7b9eff29455d", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "test.appstudio.openshift.io/pr-group": "konflux-tsf-demo-comp", "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed" }, "creationTimestamp": "2026-04-25T12:20:30Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "73008030180", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "238", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dcbb8e7039052b0fb3f0735151202e743054ac78", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-pull-request-5dgmx", "tekton.dev/pipelineRun": "tsf-demo-comp-on-pull-request-5dgmx", "tekton.dev/pipelineRunUID": "da346956-c90d-42af-866b-7b9eff29455d", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "e5069fd5afbb0dd2d302e33fb7e375be47613ee02b0ea3b06542f7ea04bca2" }, "name": "tsf-demo-comp-on-pull-request-5dgmx-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-pull-request-5dgmx", "uid": "da346956-c90d-42af-866b-7b9eff29455d" } ], "resourceVersion": "42218", "uid": "745652ac-1bdb-4804-9275-6c4293fce8bb" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:20:36Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:20:36Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-pull-request-5dgmx-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "startTime": "2026-04-25T12:20:30Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:2d1039b614888ca46d5d771ca886a5843e56ac9acf7210040a61075371338247", "name": "init", "terminated": { "containerID": "cri-o://7cc50acb993d847bb72932154c0e31d6011ccb17932266f27c902457e0387d20", "exitCode": 0, "finishedAt": "2026-04-25T12:20:35Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:20:35Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=3bad3b2611049e803e50c6ac2037f9b140c364d0", "build.appstudio.redhat.com/commit_sha": "3bad3b2611049e803e50c6ac2037f9b140c364d0", "build.appstudio.redhat.com/pull_request_number": "237", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "73007915814", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-ixeomy", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-pull-request-976rr", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "237", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhads-tsf-ci[bot]", "pipelinesascode.tekton.dev/sha": "3bad3b2611049e803e50c6ac2037f9b140c364d0", "pipelinesascode.tekton.dev/sha-title": "RHADS-TSF-CI update tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/3bad3b2611049e803e50c6ac2037f9b140c364d0", "pipelinesascode.tekton.dev/source-branch": "konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/ee1dd191-163f-4960-8876-335b541dc3dc/records/8de27b36-bd04-4408-a228-d61122e56f4b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"3bad3b2611049e803e50c6ac2037f9b140c364d0\",\"eventType\":\"pull_request\",\"pull_request-id\":237}", "results.tekton.dev/result": "default-tenant/results/ee1dd191-163f-4960-8876-335b541dc3dc", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "test.appstudio.openshift.io/pr-group": "konflux-tsf-demo-comp", "test.appstudio.openshift.io/snapshot-creation-report": "SnapshotCreationFailed" }, "creationTimestamp": "2026-04-25T12:18:04Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "73007915814", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "237", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "3bad3b2611049e803e50c6ac2037f9b140c364d0", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-pull-request-976rr", "tekton.dev/pipelineRun": "tsf-demo-comp-on-pull-request-976rr", "tekton.dev/pipelineRunUID": "ee1dd191-163f-4960-8876-335b541dc3dc", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init", "test.appstudio.openshift.io/pr-group-sha": "e5069fd5afbb0dd2d302e33fb7e375be47613ee02b0ea3b06542f7ea04bca2" }, "name": "tsf-demo-comp-on-pull-request-976rr-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-pull-request-976rr", "uid": "ee1dd191-163f-4960-8876-335b541dc3dc" } ], "resourceVersion": "39998", "uid": "8de27b36-bd04-4408-a228-d61122e56f4b" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "status": "TaskRunCancelled", "statusMessage": "TaskRun cancelled as the PipelineRun it belongs to has been cancelled.", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "completionTime": "2026-04-25T12:18:13Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:18:13Z", "message": "TaskRun \"tsf-demo-comp-on-pull-request-976rr-init\" was cancelled. TaskRun cancelled as the PipelineRun it belongs to has been cancelled.", "reason": "TaskRunCancelled", "status": "False", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-pull-request-976rr-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "startTime": "2026-04-25T12:18:04Z", "steps": [ { "container": "step-init", "name": "init", "terminated": { "exitCode": 1, "finishedAt": "2026-04-25T12:18:13Z", "message": "Step init terminated as pod tsf-demo-comp-on-pull-request-976rr-init-pod is terminated", "reason": "TaskRunCancelled", "startedAt": "2026-04-25T12:18:04Z" }, "terminationReason": "TaskRunCancelled" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=10", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/87e64941-087e-4150-8b28-6fbccc2ea6f7", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T12:19:17Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min" }, "name": "tsf-demo-comp-on-push-bqvg7-build-container", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "43481", "uid": "87e64941-087e-4150-8b28-6fbccc2ea6f7" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:22:00Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:00Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:2f320524a4878030fc6235e709237045b5d371fe7d9e5984a2539b95c5706417" } ], "startTime": "2026-04-25T12:19:17Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://7900e322e7c0b81fa071e61d7e3943fed8811ab682c888790c2171a1cc2e22ed", "exitCode": 0, "finishedAt": "2026-04-25T12:19:48Z", "reason": "Completed", "startedAt": "2026-04-25T12:19:48Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://04b531410c6c8e3ef69868859b64f23f55350e181ad708b63366734a2c34c101", "exitCode": 0, "finishedAt": "2026-04-25T12:20:33Z", "reason": "Completed", "startedAt": "2026-04-25T12:19:49Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "terminated": { "containerID": "cri-o://7ed2afb9e4091cac2409f436acb36bffffe3e55ed1b0f79bc2e61661da823c30", "exitCode": 0, "finishedAt": "2026-04-25T12:20:50Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:20:34Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "sbom-syft-generate", "terminated": { "containerID": "cri-o://a5cdffbfc68666993f93c10b4f72180d1b0fbf3b52c2e69906d371333c3b40ad", "exitCode": 0, "finishedAt": "2026-04-25T12:21:30Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:20:50Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "terminated": { "containerID": "cri-o://ec032feb15488e026a1d6c12097ff687112b8139e024e1f3b22badcff935bb2b", "exitCode": 0, "finishedAt": "2026-04-25T12:21:53Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:21:31Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "terminated": { "containerID": "cri-o://2d7f4b1b986b07daf42b350dd2afcc16ca52d0b1671ed99bc323bb38134704c0", "exitCode": 0, "finishedAt": "2026-04-25T12:22:00Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:2f320524a4878030fc6235e709237045b5d371fe7d9e5984a2539b95c5706417\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:21:53Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "tsf-demo-comp-on-push-bqvg7-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push sbom image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=13", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/123bdbeb-4e41-47a0-b26a-9564b19ca06d", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T12:22:00Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index-min" }, "name": "tsf-demo-comp-on-push-bqvg7-build-image-index", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "43959", "uid": "123bdbeb-4e41-47a0-b26a-9564b19ca06d" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "COMMIT_SHA", "value": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "build-image-index-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min:0.2@sha256:79b412747e07caf80cace222ef8ee7e7955676f7928b893ed39c107f4ec62bf3" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:22:17Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:17Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "79b412747e07caf80cace222ef8ee7e7955676f7928b893ed39c107f4ec62bf3" }, "entryPoint": "build-image-index-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index-min" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" } ], "startTime": "2026-04-25T12:22:00Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://865b231d2e847e51c4e85fcafedb6c6183f71ad14878d4edbe693dc0aab86ea6", "exitCode": 0, "finishedAt": "2026-04-25T12:22:16Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:22:16Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "create-sbom", "terminated": { "containerID": "cri-o://677f929f01ad54ee42ae6933f61e8dd412b423ffe8673b015e87fd4848f8dcc3", "exitCode": 0, "finishedAt": "2026-04-25T12:22:16Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:22:16Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "terminated": { "containerID": "cri-o://ff1c98e84fe7b2bb9f945bea9d8942200d11d6323ab1f328e790383dec52719c", "exitCode": 0, "finishedAt": "2026-04-25T12:22:16Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:22:16Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "The commit the image is built from.", "name": "COMMIT_SHA", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "", "description": "Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "COMMIT_SHA", "value": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31@sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [[ $# -ne 1 \u0026\u0026 \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation while supplying multiple image inputs is unsupported.\"\n exit 2\nfi\n\nbuildah manifest create \"$IMAGE\"\nfor i in $@\ndo\n TOADD=\"$i\"\n TOADD_URL=\"$(echo \"$i\" | cut -d@ -f1)\"\n TOADD_DIGEST=\"$(echo \"$i\" | cut -d@ -f2)\"\n if [[ $(echo \"$i\" | tr -cd \":\" | wc -c) == 2 ]]; then\n #format is repository:tag@sha256:digest\n #we need to remove the tag, and just reference the digest\n #as tag + digest is not supported\n TOADD_REPOSITORY=\"$(echo \"$i\" | cut -d: -f1)\"\n TOADD=\"${TOADD_REPOSITORY}@${TOADD_DIGEST}\"\n fi\n if [[ \"$ALWAYS_BUILD_INDEX\" != \"true\" ]]; then\n echo \"Skipping image index generation. Returning results for $TOADD.\"\n echo -n \"${TOADD_URL}\" \u003e \"/tekton/results/IMAGE_URL\"\n echo -n \"${TOADD_DIGEST}\" \u003e \"/tekton/results/IMAGE_DIGEST\"\n echo -n \"${TOADD}\" \u003e \"/tekton/results/IMAGES\"\n exit 0\n fi\n\n echo \"Adding $TOADD\"\n buildah manifest add $IMAGE \"docker://$TOADD\" --all\ndone\n\necho \"Validating format consistency\"\nINCOMPATIBLE_STRING=\"vnd.oci.image.manifest\"\nINCOMPATIBLE_NAME=\"oci\"\nif [ \"$BUILDAH_FORMAT\" == \"oci\" ]; then\n INCOMPATIBLE_STRING=\"vnd.docker.distribution.manifest\"\n INCOMPATIBLE_NAME=\"docker\"\nfi\n\n# If mismatched formats (e.g., Docker manifests within an OCI index) exist locally, 'buildah push'\n# converts the inner manifests to match the target BUILDAH_FORMAT.\n# This alters the digests and breaks the link to the attached SBOMs.\nMANIFEST_MEDIA_TYPES=$(buildah manifest inspect \"$IMAGE\" | jq -er '.manifests[].mediaType')\nif echo \"$MANIFEST_MEDIA_TYPES\" | grep -q \"$INCOMPATIBLE_STRING\"; then\n echo \"ERROR: Platform image contains $INCOMPATIBLE_NAME format, but index will be $BUILDAH_FORMAT\"\n echo \"This will cause digest changes and break SBOM accessibility.\"\n echo \"Ensure all platform images are built with buildah-format: $BUILDAH_FORMAT\"\n exit 1\nfi\n\n# While the BUILDAH_FORMAT environment variable can define the push\n# format, lets be explicit about the format that we want when we push.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\nbuildah_retries=3\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://$IMAGE\"\nthen\n echo \"Failed to push image ${IMAGE} to registry\"\n exit 1\nfi\n\necho \"Pushing image to registry\"\nif ! retry buildah manifest push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile image-digest \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:tsf-demo-comp-on-push-bqvg7-build-image-index\"\nthen\n echo \"Failed to push image ${IMAGE%:*}:tsf-demo-comp-on-push-bqvg7-build-image-index to registry\"\n exit 1\nfi\n\nINDEX_REPOSITORY=\"$(echo \"$IMAGE\" | cut -d@ -f1 | cut -d: -f1)\"\nMANIFEST_DIGESTS=$(buildah manifest inspect \"$IMAGE\" | jq -er \".manifests[].digest\")\nimage_manifests=\"\"\nfor i in $MANIFEST_DIGESTS\ndo\n image_manifests=\"${image_manifests} ${INDEX_REPOSITORY}@${i},\"\ndone\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c image-digest\necho -n \"$IMAGE\" | tee \"/tekton/results/IMAGE_URL\"\n{\n echo -n \"${IMAGE}@\"\n cat \"image-digest\"\n} \u003e \"/tekton/results/IMAGE_REF\"\necho -n \"${image_manifests:1:-1}\" \u003e \"/tekton/results/IMAGES\"\n\n# buildah manifest inspect will always give precedence to the local image.\n# Since we built this image in the same place as we are inspecting it, we can\n# just inspect it instead of finding the digest and inspecting the remote image.\nbuildah manifest inspect \"$IMAGE\" \u003e /index-build-data/manifest_data.json\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/1d590127-0366-4eec-b757-a5d67df1d9f0", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "false", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T12:22:17Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan-min" }, "name": "tsf-demo-comp-on-push-bqvg7-clair-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "43949", "uid": "1d590127-0366-4eec-b757-a5d67df1d9f0" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "clair-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan-min:0.3@sha256:c117d0fd0b5413b5addb014027f06b1ea2c39c8e962876810c40c7baf5b54e72" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:19Z", "message": "pod status \"Ready\":\"False\"; message: \"containers with unready status: [step-get-image-manifests step-get-vulnerabilities step-oci-attach-report step-conftest-vulnerabilities]\"", "reason": "Pending", "status": "Unknown", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c117d0fd0b5413b5addb014027f06b1ea2c39c8e962876810c40c7baf5b54e72" }, "entryPoint": "clair-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan-min" } }, "startTime": "2026-04-25T12:22:17Z", "steps": [ { "container": "step-get-image-manifests", "name": "get-image-manifests", "waiting": { "reason": "PodInitializing" } }, { "container": "step-get-vulnerabilities", "name": "get-vulnerabilities", "waiting": { "reason": "PodInitializing" } }, { "container": "step-oci-attach-report", "name": "oci-attach-report", "waiting": { "reason": "PodInitializing" } }, { "container": "step-conftest-vulnerabilities", "name": "conftest-vulnerabilities", "waiting": { "reason": "PodInitializing" } } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "RETRY_COUNT", "value": "5" } ], "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$IMAGE_URL\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$IMAGE_URL\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --docker-config-dir=/tmp/auth --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan-min failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan-min completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/2fb1891c-76a5-4277-8d52-26917b1776c4", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "false", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux" }, "creationTimestamp": "2026-04-25T12:22:17Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan-min" }, "name": "tsf-demo-comp-on-push-bqvg7-clamav-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "43934", "uid": "2fb1891c-76a5-4277-8d52-26917b1776c4" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min:0.3@sha256:589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:20Z", "message": "pod status \"Ready\":\"False\"; message: \"containers with unready status: [step-extract-and-scan-image step-upload]\"", "reason": "Pending", "status": "Unknown", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "589e34f73d310aa993c9761d8b78265a904a121028bda2809d8a2d0500454bd8" }, "entryPoint": "clamav-scan-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan-min" } }, "startTime": "2026-04-25T12:22:17Z", "steps": [ { "container": "step-extract-and-scan-image", "name": "extract-and-scan-image", "waiting": { "reason": "PodInitializing" } }, { "container": "step-upload", "name": "upload", "waiting": { "reason": "PodInitializing" } } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "512m", "memory": "3Gi" }, "requests": { "cpu": "512m", "memory": "3Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan-min failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan-min failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan-min failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=1", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/efeb0ce2-2980-465a-8d3e-436a0ee1b6f3", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "creationTimestamp": "2026-04-25T12:18:24Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min" }, "name": "tsf-demo-comp-on-push-bqvg7-clone-repository", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "40460", "uid": "efeb0ce2-2980-465a-8d3e-436a0ee1b6f3" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "revision", "value": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31.git" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-jgbbjj" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:18:38Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:18:38Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "commit", "type": "string", "value": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "commit-timestamp", "type": "string", "value": "1777119489" }, { "name": "short-commit", "type": "string", "value": "dfe4c43" }, { "name": "url", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05" } ], "startTime": "2026-04-25T12:18:24Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "terminated": { "containerID": "cri-o://7eaca8cdff64b192904b1d7fd5e5be4597212421cbdc8249369388f562d4ed88", "exitCode": 0, "finishedAt": "2026-04-25T12:18:36Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777119489\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"dfe4c43\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:18:35Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "terminated": { "containerID": "cri-o://08e32596f7ffdbd6fc7a0f37855335850d54992698c1aee93243764fdfa0830e", "exitCode": 0, "finishedAt": "2026-04-25T12:18:36Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777119489\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"dfe4c43\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:18:36Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://56c416b5dc808814e2b086dce9d3c2377c9eee1fd9f872684e842d583706e49f", "exitCode": 0, "finishedAt": "2026-04-25T12:18:38Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05\",\"type\":1},{\"key\":\"commit\",\"value\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777119489\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"dfe4c43\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:18:37Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "PARAM_REVISION", "value": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/35af9dc8-7e8f-4484-89c6-111daa17416f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "false", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T12:22:17Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "deprecated-base-image-check", "tekton.dev/task": "deprecated-image-check" }, "name": "tsf-demo-comp-on-push-bqvg7-deprecated-base-image-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "43861", "uid": "35af9dc8-7e8f-4484-89c6-111daa17416f" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "deprecated-image-check" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:19Z", "message": "pod status \"Ready\":\"False\"; message: \"containers with unready status: [step-check-images]\"", "reason": "Pending", "status": "Unknown", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-deprecated-base-image-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae" }, "entryPoint": "deprecated-image-check", "uri": "quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check" } }, "startTime": "2026-04-25T12:22:17Z", "steps": [ { "container": "step-check-images", "name": "check-images", "waiting": { "reason": "PodInitializing" } } ], "taskSpec": { "description": "Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.", "params": [ { "default": "/project/repository/", "description": "Path to directory containing Conftest policies.", "name": "POLICY_DIR", "type": "string" }, { "default": "required_checks", "description": "Namespace for Conftest policy.", "name": "POLICY_NAMESPACE", "type": "string" }, { "default": "", "description": "Digests of base build images.", "name": "BASE_IMAGES_DIGESTS", "type": "string" }, { "description": "Fully qualified image name.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "POLICY_DIR", "value": "/project/repository/" }, { "name": "POLICY_NAMESPACE", "value": "required_checks" }, { "name": "BASE_IMAGES_DIGESTS" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.49@sha256:74899c7a3dde27548e1ad9c665055bfef56c227251bd9224885f4bbd7addebd9", "name": "check-images", "script": "#!/usr/bin/env bash\nset -euo pipefail\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nIMAGES_TO_BE_PROCESSED_PATH=\"/tmp/images_to_be_processed.txt\"\ntouch /tmp/images_to_be_processed.txt\n\nsuccess_counter=0\nfailure_counter=0\nerror_counter=0\nwarnings_counter=0\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo -n $imagewithouttag@$IMAGE_DIGEST)\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n while read -r arch arch_sha; do\n SBOM_FILE_PATH=$(echo \"/tmp/sbom-$arch.json\")\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n # Get base images from SBOM\n cosign download sbom $arch_imageanddigest \u003e ${SBOM_FILE_PATH}\n if [ $? -ne 0 ]; then\n echo \"Unable to download sbom for arch $arch.\"\n continue\n fi\n\n \u003c \"${SBOM_FILE_PATH}\" jq -r '\n if .bomFormat == \"CycloneDX\" then\n .formulation[]?\n | .components[]?\n | select(any(.properties[]?; .name | test(\"^konflux:container:is_(base|builder)_image\")))\n | (\n .purl\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n else\n .packages[]\n | select(any(.annotations[]?.comment; (fromjson?).name? | test(\"^konflux:container:is_(base|builder)_image\")?))\n | [.externalRefs[]? | select(.referenceType == \"purl\").referenceLocator] as $purls\n | (\n $purls | first\n | capture(\"^pkg:oci/.*?@(?\u003cdigest\u003e[a-z0-9]+:[a-f0-9]+)(?:\\\\?[^#]*repository_url=(?\u003crepository_url\u003e[^\u0026#]*))?\")\n ) as $matched\n | $matched.repository_url\n end\n ' \u003e\u003e \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"Detected base images from $arch SBOM:\"\n cat \"${IMAGES_TO_BE_PROCESSED_PATH}\"\n echo \"\"\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task deprecated-image-check failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nif [ -n \"${BASE_IMAGES_DIGESTS}\" ];\nthen\n echo \"Base images passed by param BASE_IMAGES_DIGESTS: $BASE_IMAGES_DIGESTS\"\n # Get images from the parameter\n for IMAGE_WITH_TAG in $(echo -n \"$BASE_IMAGES_DIGESTS\" | sed 's/\\\\n/\\'$'\\n''/g' );\n do\n echo $IMAGE_WITH_TAG | cut -d \":\" -f1 \u003e\u003e ${IMAGES_TO_BE_PROCESSED_PATH}\n done\nfi\n\n# we want to remove duplicated entries\nBASE_IMAGES=$(sort -u \"${IMAGES_TO_BE_PROCESSED_PATH}\")\n\necho \"Images to be checked:\"\necho \"$BASE_IMAGES\"\necho \"\"\n\nfor BASE_IMAGE in ${BASE_IMAGES};\ndo\n IFS=:'/' read -r IMAGE_REGISTRY IMAGE_REPOSITORY\u003c\u003c\u003c $BASE_IMAGE\n\n # Red Hat Catalog hack: registry.redhat.io must be queried as registry.access.redhat.com in Red Hat catalog\n IMAGE_REGISTRY_CATALOG=$(echo \"${IMAGE_REGISTRY}\" | sed 's/^registry.redhat.io$/registry.access.redhat.com/')\n\n export IMAGE_REPO_PATH=/tmp/${IMAGE_REPOSITORY}\n mkdir -p ${IMAGE_REPO_PATH}\n echo \"Querying Red Hat Catalog for $BASE_IMAGE.\"\n http_code=$(curl -s -o ${IMAGE_REPO_PATH}/repository_data.json -w '%{http_code}' \"https://catalog.redhat.com/api/containers/v1/repositories/registry/${IMAGE_REGISTRY_CATALOG}/repository/${IMAGE_REPOSITORY}\")\n\n if [ \"$http_code\" == \"200\" ];\n then\n echo \"Running conftest using $POLICY_DIR policy, $POLICY_NAMESPACE namespace.\"\n /usr/bin/conftest test --no-fail ${IMAGE_REPO_PATH}/repository_data.json \\\n --policy $POLICY_DIR --namespace $POLICY_NAMESPACE \\\n --output=json | tee ${IMAGE_REPO_PATH}/deprecated_image_check_output.json\n\n failures_num=$(jq -r '.[].failures|length' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${failures_num}\" -gt 0 ]]; then\n echo \"[FAILURE] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} has been deprecated\"\n fi\n failure_counter=$((failure_counter+failures_num))\n\n successes_num=$(jq -r '.[].successes' ${IMAGE_REPO_PATH}/deprecated_image_check_output.json)\n if [[ \"${successes_num}\" -gt 0 ]]; then\n echo \"[SUCCESS] Image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} is valid\"\n fi\n success_counter=$((success_counter+successes_num))\n\n elif [ \"$http_code\" == \"404\" ];\n then\n echo \"[WARNING] Registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY} not found in Red Hat Catalog. Task cannot provide results if image is deprecated.\"\n warnings_counter=$((warnings_counter+1))\n else\n echo \"[ERROR] Unexpected error (HTTP code: ${http_code}) occurred for registry/image ${IMAGE_REGISTRY}/${IMAGE_REPOSITORY}.\"\n error_counter=$((error_counter+1))\n fi\ndone\n\nnote=\"Task deprecated-image-check failed: Command conftest failed. For details, check Tekton task log.\"\nERROR_OUTPUT=$(make_result_json -r ERROR -n \"$POLICY_NAMESPACE\" -t \"$note\")\n\nnote=\"Task deprecated-image-check completed: Check result for task result.\"\nif [[ \"$error_counter\" == 0 ]];\nthen\n if [[ \"${failure_counter}\" -gt 0 ]]; then\n RES=\"FAILURE\"\n elif [[ \"${warnings_counter}\" -gt 0 ]]; then\n RES=\"WARNING\"\n elif [[ \"${success_counter}\" -eq 0 ]]; then\n # when all counters are 0, there are no base images to check\n note=\"Task deprecated-image-check success: No base images to check.\"\n RES=\"SUCCESS\"\n else\n RES=\"SUCCESS\"\n fi\n TEST_OUTPUT=$(make_result_json \\\n -r \"${RES}\" -n \"$POLICY_NAMESPACE\" \\\n -s \"${success_counter}\" -f \"${failure_counter}\" -w \"${warnings_counter}\" -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee /tekton/results/TEST_OUTPUT\n\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=0", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/fdf76d59-13f1-46a6-abd3-e5f0d0fcc2d6", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T12:18:20Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "tsf-demo-comp-on-push-bqvg7-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "40243", "uid": "fdf76d59-13f1-46a6-abd3-e5f0d0fcc2d6" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:18:24Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:18:24Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "startTime": "2026-04-25T12:18:20Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:2d1039b614888ca46d5d771ca886a5843e56ac9acf7210040a61075371338247", "name": "init", "terminated": { "containerID": "cri-o://acb58e46455fdeaf1ec9e9f709fdd71eb448252ed136b71c091cc02a673ff21a", "exitCode": 0, "finishedAt": "2026-04-25T12:18:23Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:18:23Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=2", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/f78d8318-c564-45f5-a8b9-7da3191fc6f2", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T12:18:39Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min" }, "name": "tsf-demo-comp-on-push-bqvg7-prefetch-dependencies", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "40896", "uid": "f78d8318-c564-45f5-a8b9-7da3191fc6f2" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-jgbbjj" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:19:16Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:19:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05" } ], "startTime": "2026-04-25T12:18:39Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "terminated": { "containerID": "cri-o://ca069618040fdb464ec062de3bb8514a69113c72b7cc353ea3a20bde1a08f93c", "exitCode": 0, "finishedAt": "2026-04-25T12:18:55Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:18:55Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://cbfc4c0bedf4942c15208d6880903d4bc746ad000e078ca8c491d9912a895a47", "exitCode": 0, "finishedAt": "2026-04-25T12:18:56Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:18:56Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:0101888c066cc428dbbe87f91752e6208cdfdce5e68f6d7b1a773ec281870784", "name": "prefetch-dependencies", "terminated": { "containerID": "cri-o://16daf9bf3b2b77f39ca9a133bd39aacb745700ceb4713b310aae4edfeece4562", "exitCode": 0, "finishedAt": "2026-04-25T12:19:16Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:18:56Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://6b7cd8196c1f645374fc3ef9f58e90a649d8f016478d8d2a5552ebdcd6386b0f", "exitCode": 0, "finishedAt": "2026-04-25T12:19:16Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:19:16Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILE", "value": "/var/workdir/cachi2/cachi2.env" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" } ], "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/da9c3999-17de-4935-95fd-b373fa9b633c", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "false" }, "creationTimestamp": "2026-04-25T12:22:17Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "tsf-demo-comp-on-push-bqvg7-rpms-signature-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "44020", "uid": "da9c3999-17de-4935-95fd-b373fa9b633c" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "image-digest", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:21Z", "message": "pod status \"Ready\":\"False\"; message: \"containers with unready status: [step-rpms-signature-scan step-output-results]\"", "reason": "Pending", "status": "Unknown", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-rpms-signature-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "47b81d6b3d752649eddfbb8b3fd8f6522c4bb07f6d1946f9bc45dae3f92e2c9a" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "startTime": "2026-04-25T12:22:18Z", "steps": [ { "container": "step-rpms-signature-scan", "name": "rpms-signature-scan", "waiting": { "reason": "PodInitializing" } }, { "container": "step-output-results", "name": "output-results", "waiting": { "reason": "PodInitializing" } } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:c677979dbad26c7b95e502ef62548beaf805607b691ba0d26ff488fd394fb215", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.46@sha256:c7e2099ad87d4c65284cba5df8488eae64d16ea0baff344c549ed7ca2415ebce", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/d929a58f-858f-4556-a16c-907979b10eb4", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "false", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T12:22:17Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta-min" }, "name": "tsf-demo-comp-on-push-bqvg7-sast-shell-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "44388", "uid": "d929a58f-858f-4556-a16c-907979b10eb4" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min:0.1@sha256:fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:58Z", "message": "Not all Steps in the Task have finished executing", "reason": "Running", "status": "Unknown", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "fa19753f59288a397aab2ddb9459f35f0ec1b89f43c36e944a3958db72becb5a" }, "entryPoint": "sast-shell-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta-min" } }, "startTime": "2026-04-25T12:22:17Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "running": { "startedAt": "2026-04-25T12:22:22Z" } }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "running": { "startedAt": "2026-04-25T12:22:54Z" } }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "running": { "startedAt": "2026-04-25T12:22:57Z" } } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "128m", "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta-min\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/a682e9a5-7fb7-4867-995c-33cdbe5cc31a", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "false", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T12:22:17Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta-min" }, "name": "tsf-demo-comp-on-push-bqvg7-sast-unicode-check", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "43993", "uid": "a682e9a5-7fb7-4867-995c-33cdbe5cc31a" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min:0.4@sha256:624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:21Z", "message": "pod status \"Ready\":\"False\"; message: \"containers with unready status: [step-use-trusted-artifact step-sast-unicode-check step-upload]\"", "reason": "Pending", "status": "Unknown", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-sast-unicode-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "624d9ed6d461b59a16d8c1578276626c02fa6d56e0ee4bcd752f7859055f21ab" }, "entryPoint": "sast-unicode-check-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta-min" } }, "startTime": "2026-04-25T12:22:18Z", "steps": [ { "container": "step-use-trusted-artifact", "name": "use-trusted-artifact", "waiting": { "reason": "PodInitializing" } }, { "container": "step-sast-unicode-check", "name": "sast-unicode-check", "waiting": { "reason": "PodInitializing" } }, { "container": "step-upload", "name": "upload", "waiting": { "reason": "PodInitializing" } } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:460ccd2352bd90cc6f22277c8a9c5aedd1fb03230d4afe854adbe5d44cf78e05=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:ab064e9763b62d99da5ee9653370da86ffd9d3e770e1aad7a935e88b64a0b6ac", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "128m", "memory": "256Mi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.51@sha256:169f73f80fbde8d54f42416c5de8cc9214ecc7e8c89c70a3385285bbac32ad0a", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${SOURCE_CODE_DIR}/source\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta-min success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta-min\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta-min failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:180b50c7be50c20e3349a79df8dd6062fee0e0dd01aa30e9a09d1d07d9ebd0c2", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/commit_sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "build.appstudio.redhat.com/target_branch": "base-ebdlek", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-ebdlek", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jgbbjj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-bqvg7", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-ebdlek\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #237 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-ebdlek", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/record": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7/records/e0cfccb8-ea0e-44f5-9080-29ec3b7f7c53", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"dfe4c4322de07a80ce163ac6b5517ff3deaccf31\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "results.tekton.dev/stored": "false", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T12:22:17Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73007927781", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "dfe4c4322de07a80ce163ac6b5517ff3deaccf31", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-bqvg7", "tekton.dev/pipelineRunUID": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7", "tekton.dev/pipelineTask": "tpa-scan", "tekton.dev/task": "tpa-scan" }, "name": "tsf-demo-comp-on-push-bqvg7-tpa-scan", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-bqvg7", "uid": "734f4c83-fdac-4e82-8a6b-7e0398f69ee7" } ], "resourceVersion": "44030", "uid": "e0cfccb8-ea0e-44f5-9080-29ec3b7f7c53" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "image-url", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "tpa-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan:0.1@sha256:68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T12:22:21Z", "message": "pod status \"Ready\":\"False\"; message: \"containers with unready status: [step-get-vulnerabilities step-oci-attach-report step-conftest-vulnerabilities]\"", "reason": "Pending", "status": "Unknown", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-bqvg7-tpa-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "68b6e188f742da92af9c40a794fd021a65d49b419d1e36096277b2d9ebbe1afc" }, "entryPoint": "tpa-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-tpa-scan" } }, "startTime": "2026-04-25T12:22:19Z", "steps": [ { "container": "step-get-vulnerabilities", "name": "get-vulnerabilities", "waiting": { "reason": "PodInitializing" } }, { "container": "step-oci-attach-report", "name": "oci-attach-report", "waiting": { "reason": "PodInitializing" } }, { "container": "step-conftest-vulnerabilities", "name": "conftest-vulnerabilities", "waiting": { "reason": "PodInitializing" } } ], "taskSpec": { "description": "Scans container images for vulnerabilities using the TPA vulnerability scanner, by comparing the components of container image against the vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform which will be scanned by this task.", "name": "image-platform", "type": "string" }, { "default": "https://exhort.stage.devshift.net/api/v5/analysis", "description": "The url of the TPA instance which will be used for scanning.", "name": "tpa-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "TPA scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "800m", "memory": "2Gi" }, "requests": { "cpu": "800m", "memory": "2Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" }, { "name": "IMAGE_DIGEST", "value": "sha256:8338c9c9909f90a7712f6ea3d2bf12097fa828139da20766cf2c3325b96831fb" }, { "name": "IMAGE_PLATFORM" }, { "name": "TPA_URL", "value": "https://exhort.stage.devshift.net/api/v5/analysis" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\necho \"Inspecting raw image manifest $imageanddigest.\"\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\necho \"Selecting auth\"\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${imageanddigest}\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task tpa-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n\ntpa_scan() {\n local sbom_file=${1}\n local arch=${2}\n local sbom_format\n\n sbom_format=$(jq -r 'if .bomFormat == \"CycloneDX\" then \"cyclonedx\" else \"spdx\" end' \u003c \"${sbom_file}\")\n retry curl -f --show-error -L -X POST -T \"${sbom_file}\" -H \"Content-Type:application/vnd.${sbom_format}+json\" \"${TPA_URL}\" | tee \"tpa-report-${arch}.json\";\n}\n\nrun_tpa_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-${arch}.sha\"\n local sbom_file_path=\"/tmp/sbom-${arch}.json\"\n local arch_sha=\"\"\n\n if [ -e \"${sha_file}\" ]; then\n arch_sha=$(\u003c\"${sha_file}\")\n arch_imageanddigest=$(echo -n \"${imagewithouttag}@${arch_sha}\")\n else\n echo \"Couldn't find the SHA file for the requested architecture.\"\n exit 1\n fi\n\n echo \"Selecting auth\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${arch_imageanddigest}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n # Attempt to download the SBOM file via cosign\n\n if ! retry cosign download sbom \"${arch_imageanddigest}\" \u003e \"${sbom_file_path}\"; then\n echo \"Unable to download SBOM for the architecture ${arch}.\"\n exit 1\n fi\n\n if [ -e \"${sbom_file_path}\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n\n echo \"Running TPA scan on $arch image manifest...\"\n tpa_scan \"${sbom_file_path}\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n else\n echo \"Couldn't find the SBOM file for the requested ${arch} architecture.\"\n exit 1\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run the tpa scan on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 1\n ;;\n esac\n\n run_tpa_on_arch \"$arch\"\n\n# If no platform is specified, run TPA scan on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_tpa_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:dfe4c4322de07a80ce163ac6b5517ff3deaccf31" } ], "image": "quay.io/konflux-ci/task-runner:1.5.0@sha256:200019314a50be5b6dd06f362c794c92a700583a522c5eee9a41e3eab7f706c5", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"tpa-report-*.json\" \u003e /dev/null; then\n echo 'No TPA reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.tpa-report+json'\n\nreports_json=\"{}\"\nfor f in tpa-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${image_ref}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"/tmp/auth/config.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-user-workloads/rhtap-integration-tenant/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\ntpa_result_files=$(ls /tekton/home/tpa-report-*.json 2\u003e/dev/null || true)\nif [ -z \"$tpa_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No tpa-report files found in /tekton/home.\"\n exit 1\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $tpa_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/tpa-report-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/rhtpa/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/tpa-vulnerabilities-\"${file_suffix}\".json || true\n fi\n\n #check for missing \"tpa-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/tpa-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/tpa-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task tpa-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/tpa-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"rhtpa_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task tpa-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by TPA.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=10d106f3035e91d75173eb6f3b65a77356caa60c", "build.appstudio.redhat.com/commit_sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "build.appstudio.redhat.com/target_branch": "base-vytaap", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vytaap", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73008040367", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lbahhl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-nmbds", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vytaap\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #238 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vytaap", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/record": "default-tenant/results/dec2d079-a9c0-4297-87a5-a3019574b7bb/records/d8188478-8b40-4f8d-a3da-36ef7f246c21", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/dec2d079-a9c0-4297-87a5-a3019574b7bb", "results.tekton.dev/stored": "false", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T12:21:26Z", "finalizers": [ "results.tekton.dev/taskrun", "chains.tekton.dev" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73008040367", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-nmbds", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-nmbds", "tekton.dev/pipelineRunUID": "dec2d079-a9c0-4297-87a5-a3019574b7bb", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta-min" }, "name": "tsf-demo-comp-on-push-nmbds-build-container", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-nmbds", "uid": "dec2d079-a9c0-4297-87a5-a3019574b7bb" } ], "resourceVersion": "44312", "uid": "d8188478-8b40-4f8d-a3da-36ef7f246c21" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:10d106f3035e91d75173eb6f3b65a77356caa60c" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "10d106f3035e91d75173eb6f3b65a77356caa60c" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min:0.9@sha256:95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "conditions": [ { "lastTransitionTime": "2026-04-25T12:21:52Z", "message": "Not all Steps in the Task have finished executing", "reason": "Running", "status": "Unknown", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-nmbds-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "95c1b5a8b454e19bd4eb28bf90ee0247467743d0e0f5737d952dce1a99108d2f" }, "entryPoint": "buildah-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta-min" } }, "startTime": "2026-04-25T12:21:26Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://fcd74f77b5696cecd216c3bcbfc9c8985951c0f37e771a92ca3bfdfe6753adee", "exitCode": 0, "finishedAt": "2026-04-25T12:21:54Z", "reason": "Completed", "startedAt": "2026-04-25T12:21:53Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "build", "terminated": { "containerID": "cri-o://629478b18690eb95029068d65f783ce146941b9927c04e7007307fd5a9ba7886", "exitCode": 0, "finishedAt": "2026-04-25T12:22:41Z", "reason": "Completed", "startedAt": "2026-04-25T12:21:54Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:3bd8b2c9f2b809bd86457cbe8411051b5a000f312b5e48cab63ab288bf6bf330", "name": "push", "running": { "startedAt": "2026-04-25T12:21:41Z" } }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "sbom-syft-generate", "running": { "startedAt": "2026-04-25T12:21:41Z" } }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "running": { "startedAt": "2026-04-25T12:21:51Z" } }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:b22b989da3c95cb0af862eeb82531ed4f687e948ca5fb6b965d1ea8fbd5054ce", "name": "upload-sbom", "running": { "startedAt": "2026-04-25T12:21:51Z" } } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:10d106f3035e91d75173eb6f3b65a77356caa60c" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "500m", "memory": "1Gi" }, "requests": { "cpu": "500m", "memory": "1Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "10d106f3035e91d75173eb6f3b65a77356caa60c" }, { "name": "SOURCE_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "DOCKERFILE", "value": "Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "tsf-demo-comp-on-push-nmbds-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push sbom image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push sbom image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "256m", "memory": "512Mi" }, "requests": { "cpu": "256m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.4.1@sha256:d9feec6f2ce9b10cfb76b45ea14f83b5ed9f231de7d6083291550aebe8eb09ea", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=10d106f3035e91d75173eb6f3b65a77356caa60c", "build.appstudio.redhat.com/commit_sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "build.appstudio.redhat.com/target_branch": "base-vytaap", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=6", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vytaap", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73008040367", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lbahhl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-nmbds", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vytaap\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #238 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vytaap", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/dec2d079-a9c0-4297-87a5-a3019574b7bb/records/11d79e92-6fd5-4ff9-8368-318cd904a6a0", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/dec2d079-a9c0-4297-87a5-a3019574b7bb", "results.tekton.dev/stored": "true", "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone oci trusted artifacts", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "creationTimestamp": "2026-04-25T12:20:49Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73008040367", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-nmbds", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-nmbds", "tekton.dev/pipelineRunUID": "dec2d079-a9c0-4297-87a5-a3019574b7bb", "tekton.dev/pipelineTask": "clone-repository", "tekton.dev/task": "git-clone-oci-ta-min" }, "name": "tsf-demo-comp-on-push-nmbds-clone-repository", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-nmbds", "uid": "dec2d079-a9c0-4297-87a5-a3019574b7bb" } ], "resourceVersion": "42672", "uid": "11d79e92-6fd5-4ff9-8368-318cd904a6a0" }, "spec": { "params": [ { "name": "url", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "revision", "value": "10d106f3035e91d75173eb6f3b65a77356caa60c" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:10d106f3035e91d75173eb6f3b65a77356caa60c.git" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "git-clone-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min:0.1@sha256:2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "basic-auth", "secret": { "secretName": "pac-gitauth-lbahhl" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:20:57Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:20:57Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-nmbds-clone-repository-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "2fff50eaed7d278c3ed82375d28241eaf6eecbc389ec4d44992721786a0dfa68" }, "entryPoint": "git-clone-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta-min" } }, "results": [ { "name": "CHAINS-GIT_COMMIT", "type": "string", "value": "10d106f3035e91d75173eb6f3b65a77356caa60c" }, { "name": "CHAINS-GIT_URL", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "commit", "type": "string", "value": "10d106f3035e91d75173eb6f3b65a77356caa60c" }, { "name": "commit-timestamp", "type": "string", "value": "1777119633" }, { "name": "short-commit", "type": "string", "value": "10d106f" }, { "name": "url", "type": "string", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3" } ], "startTime": "2026-04-25T12:20:49Z", "steps": [ { "container": "step-clone", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "terminated": { "containerID": "cri-o://ac3b9e76faf8bd33616e4fff4420e7a26c27d49b7616f2d590514d449410456e", "exitCode": 0, "finishedAt": "2026-04-25T12:20:54Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777119633\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"10d106f\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:20:54Z" }, "terminationReason": "Completed" }, { "container": "step-symlink-check", "imageID": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "terminated": { "containerID": "cri-o://cdce53be26953fe3bf49db453835824b1931ae89546428856cfdf92cda5a0737", "exitCode": 0, "finishedAt": "2026-04-25T12:20:55Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"commit\",\"value\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777119633\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"10d106f\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:20:55Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://367bda0b0dc0648c2831862ab2360f61716bca13a3a24218a12daed59513eae7", "exitCode": 0, "finishedAt": "2026-04-25T12:20:57Z", "message": "[{\"key\":\"CHAINS-GIT_COMMIT\",\"value\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"type\":1},{\"key\":\"CHAINS-GIT_URL\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3\",\"type\":1},{\"key\":\"commit\",\"value\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"type\":1},{\"key\":\"commit-timestamp\",\"value\":\"1777119633\",\"type\":1},{\"key\":\"short-commit\",\"value\":\"10d106f\",\"type\":1},{\"key\":\"url\",\"value\":\"https://github.com/rhads-tsf-qe/testrepo\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:20:55Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository.", "params": [ { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" } ], "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "/tekton/home" }, { "name": "PARAM_URL", "value": "https://github.com/rhads-tsf-qe/testrepo" }, { "name": "PARAM_REVISION", "value": "10d106f3035e91d75173eb6f3b65a77356caa60c" }, { "name": "PARAM_REFSPEC" }, { "name": "PARAM_SUBMODULES", "value": "true" }, { "name": "PARAM_SUBMODULE_PATHS" }, { "name": "PARAM_DEPTH", "value": "1" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "7" }, { "name": "PARAM_SSL_VERIFY", "value": "true" }, { "name": "PARAM_HTTP_PROXY" }, { "name": "PARAM_HTTPS_PROXY" }, { "name": "PARAM_NO_PROXY" }, { "name": "PARAM_VERBOSE", "value": "false" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES" }, { "name": "PARAM_USER_HOME", "value": "/tekton/home" }, { "name": "PARAM_FETCH_TAGS", "value": "false" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "false" }, { "name": "PARAM_TARGET_BRANCH", "value": "main" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL" }, { "name": "PARAM_MERGE_SOURCE_DEPTH" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "false" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "true" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "/workspace/basic-auth" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ]; then\n set -x\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ]; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e\"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e\"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ]; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\n\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n\n if ! git merge FETCH_HEAD --no-commit --no-ff --allow-unrelated-histories; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit 1\n fi\n\n # Check if there are changes staged for commit\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n if ! git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit 1\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e\"/tekton/results/merged_sha\"\n fi\n\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/commit\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e\"/tekton/results/CHAINS-GIT_COMMIT\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e\"/tekton/results/short-commit\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/url\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e\"/tekton/results/CHAINS-GIT_URL\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e\"/tekton/results/commit-timestamp\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ]; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "true" }, { "name": "CHECKOUT_DIR", "value": "/var/workdir/source" } ], "image": "quay.io/konflux-ci/git-clone@sha256:09ac9c14392b5c2b8057f66cc4abfb8ce5d7214706318959d00908923a754434", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink; do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ]; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ]; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:10d106f3035e91d75173eb6f3b65a77356caa60c.git", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:15d7dc86012e41b10d1eb37679ec03ee75c96436224fadd0938a49dc537aa4ad", "name": "create-trusted-artifact", "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=10d106f3035e91d75173eb6f3b65a77356caa60c", "build.appstudio.redhat.com/commit_sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "build.appstudio.redhat.com/target_branch": "base-vytaap", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=5", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vytaap", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73008040367", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lbahhl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-nmbds", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vytaap\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #238 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vytaap", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/dec2d079-a9c0-4297-87a5-a3019574b7bb/records/f2bbad41-dfaa-400e-94f7-3388f7233f0b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/dec2d079-a9c0-4297-87a5-a3019574b7bb", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-04-25T12:20:44Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73008040367", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-nmbds", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-nmbds", "tekton.dev/pipelineRunUID": "dec2d079-a9c0-4297-87a5-a3019574b7bb", "tekton.dev/pipelineTask": "init", "tekton.dev/task": "init" }, "name": "tsf-demo-comp-on-push-nmbds-init", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-nmbds", "uid": "dec2d079-a9c0-4297-87a5-a3019574b7bb" } ], "resourceVersion": "42544", "uid": "f2bbad41-dfaa-400e-94f7-3388f7233f0b" }, "spec": { "params": [ { "name": "enable-cache-proxy", "value": "false" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "init" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:20:48Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:20:48Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-nmbds-init-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "288f3106118edc1d0f0c79a89c960abf5841a4dd8bc3f38feb10527253105b19" }, "entryPoint": "init", "uri": "quay.io/konflux-ci/tekton-catalog/task-init" } }, "results": [ { "name": "http-proxy", "type": "string", "value": "" }, { "name": "no-proxy", "type": "string", "value": "" } ], "startTime": "2026-04-25T12:20:44Z", "steps": [ { "container": "step-init", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:2d1039b614888ca46d5d771ca886a5843e56ac9acf7210040a61075371338247", "name": "init", "terminated": { "containerID": "cri-o://d71698ed78606cd86527f4ff4462eed7940c735bc4a80d995c31d620a750fc71", "exitCode": 0, "finishedAt": "2026-04-25T12:20:47Z", "message": "[{\"key\":\"http-proxy\",\"value\":\"\",\"type\":1},{\"key\":\"no-proxy\",\"value\":\"\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:20:47Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Initialize Pipeline Task, enables configuration for cache-proxy if required during the PipelineRun.", "params": [ { "default": "false", "description": "Enable cache proxy configuration", "name": "enable-cache-proxy", "type": "string" } ], "results": [ { "description": "HTTP proxy URL for cache proxy (when enable-cache-proxy is true)", "name": "http-proxy", "type": "string" }, { "description": "NO_PROXY value for cache proxy (when enable-cache-proxy is true)", "name": "no-proxy", "type": "string" } ], "steps": [ { "args": [ "--enable", "false" ], "command": [ "konflux-build-cli", "config", "cache-proxy" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" }, { "name": "DEFAULT_HTTP_PROXY", "value": "squid.caching.svc.cluster.local:3128" }, { "name": "DEFAULT_NO_PROXY", "value": "brew.registry.redhat.io,docker.io,gcr.io,ghcr.io,images.paas.redhat.com,mirror.gcr.io,nvcr.io,quay.io,registry-proxy.engineering.redhat.com,registry.access.redhat.com,registry.ci.openshift.org,registry.fedoraproject.org,registry.redhat.io,registry.stage.redhat.io,vault.habana.ai" }, { "name": "HTTP_PROXY_RESULTS_PATH", "value": "/tekton/results/http-proxy" }, { "name": "NO_PROXY_RESULTS_PATH", "value": "/tekton/results/no-proxy" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:59f2ea93fa4d47342b54acb434422ee07ebccd927a06a00d3f3eca70f8356ddf", "name": "init" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/rhads-tsf-qe/testrepo?rev=10d106f3035e91d75173eb6f3b65a77356caa60c", "build.appstudio.redhat.com/commit_sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "build.appstudio.redhat.com/target_branch": "base-vytaap", "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "http://rekor-server.tsf-tas.svc.cluster.local/api/v1/log/entries?logIndex=7", "pipeline.tekton.dev/release": "5e3f5af0ec3475362ab2c445a78160c4fea6e4c6", "pipelinesascode.tekton.dev/branch": "base-vytaap", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73008040367", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-lbahhl", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "112348674", "pipelinesascode.tekton.dev/log-url": "https://konflux-ui-konflux-ui.apps.rosa.kx-c26eaf2d8c.guab.p3.openshiftapps.com/ns/default-tenant/pipelinerun/tsf-demo-comp-on-push-nmbds", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-vytaap\"", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #238 from rhads-tsf-qe/konflux-tsf-demo-comp", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhads-tsf-qe/testrepo/commit/10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/source-branch": "refs/heads/base-vytaap", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhads-tsf-qe/testrepo", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "default-tenant/results/dec2d079-a9c0-4297-87a5-a3019574b7bb/records/c7cfb659-666c-4f89-8be6-d832c40d6248", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"testrepo\",\"commit\":\"10d106f3035e91d75173eb6f3b65a77356caa60c\",\"eventType\":\"push\"}", "results.tekton.dev/result": "default-tenant/results/dec2d079-a9c0-4297-87a5-a3019574b7bb", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-04-25T12:20:58Z", "finalizers": [ "chains.tekton.dev", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.37.7", "appstudio.openshift.io/application": "tsf-demo-app", "appstudio.openshift.io/component": "tsf-demo-comp", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "73008040367", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "tsf-demo-comp-on-push", "pipelinesascode.tekton.dev/repository": "tsf-demo-comp", "pipelinesascode.tekton.dev/sha": "10d106f3035e91d75173eb6f3b65a77356caa60c", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "rhads-tsf-qe", "pipelinesascode.tekton.dev/url-repository": "testrepo", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "tsf-demo-comp-on-push-nmbds", "tekton.dev/pipelineRun": "tsf-demo-comp-on-push-nmbds", "tekton.dev/pipelineRunUID": "dec2d079-a9c0-4297-87a5-a3019574b7bb", "tekton.dev/pipelineTask": "prefetch-dependencies", "tekton.dev/task": "prefetch-dependencies-oci-ta-min" }, "name": "tsf-demo-comp-on-push-nmbds-prefetch-dependencies", "namespace": "default-tenant", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "tsf-demo-comp-on-push-nmbds", "uid": "dec2d079-a9c0-4297-87a5-a3019574b7bb" } ], "resourceVersion": "42959", "uid": "c7cfb659-666c-4f89-8be6-d832c40d6248" }, "spec": { "params": [ { "name": "input", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3" }, { "name": "ociStorage", "value": "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:10d106f3035e91d75173eb6f3b65a77356caa60c.prefetch" }, { "name": "ociArtifactExpiresAfter", "value": "" } ], "serviceAccountName": "build-pipeline-tsf-demo-comp", "taskRef": { "params": [ { "name": "name", "value": "prefetch-dependencies-oci-ta-min" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min:0.3@sha256:1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s", "workspaces": [ { "name": "git-basic-auth", "secret": { "secretName": "pac-gitauth-lbahhl" } } ] }, "status": { "artifacts": {}, "completionTime": "2026-04-25T12:21:25Z", "conditions": [ { "lastTransitionTime": "2026-04-25T12:21:25Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "tsf-demo-comp-on-push-nmbds-prefetch-dependencies-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "1a41e7ee19f9e02874b4ef1f74e6f588a7601deaf5b30ca0862808e5760cea5d" }, "entryPoint": "prefetch-dependencies-oci-ta-min", "uri": "quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta-min" } }, "results": [ { "name": "CACHI2_ARTIFACT", "type": "string", "value": "" }, { "name": "SOURCE_ARTIFACT", "type": "string", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3" } ], "startTime": "2026-04-25T12:20:58Z", "steps": [ { "container": "step-skip-ta", "imageID": "registry.access.redhat.com/ubi9/ubi-minimal@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "terminated": { "containerID": "cri-o://2838c8617bca835715f6f96dcdb1d52218eddfdcd0b8c130e293dfbc1a832efa", "exitCode": 0, "finishedAt": "2026-04-25T12:21:03Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:21:03Z" }, "terminationReason": "Completed" }, { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact", "terminated": { "containerID": "cri-o://e8ac1ba22e7841b39ec501795ba4f8f22ca60cc107efaa916fe8641a12aeb4fc", "exitCode": 0, "finishedAt": "2026-04-25T12:21:03Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:21:03Z" }, "terminationReason": "Completed" }, { "container": "step-prefetch-dependencies", "imageID": "quay.io/konflux-ci/hermeto@sha256:0101888c066cc428dbbe87f91752e6208cdfdce5e68f6d7b1a773ec281870784", "name": "prefetch-dependencies", "terminated": { "containerID": "cri-o://9e9625d6ac774888857b69a0b16e9e2ef98a6b349df1376f8fbe63bb03af5d87", "exitCode": 0, "finishedAt": "2026-04-25T12:21:24Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:21:03Z" }, "terminationReason": "Completed" }, { "container": "step-create-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact", "terminated": { "containerID": "cri-o://b66ec9e6fc14f9a4517fe9ec2103c52df0078434c2a091e9bbcfac1e67aa26d1", "exitCode": 0, "finishedAt": "2026-04-25T12:21:25Z", "message": "[{\"key\":\"CACHI2_ARTIFACT\",\"value\":\"\",\"type\":1},{\"key\":\"SOURCE_ARTIFACT\",\"value\":\"oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-04-25T12:21:24Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Task that prefetches project dependencies for hermetic build.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Pass configuration to the prefetch tool.\nNote this needs to be passed as a YAML-formatted config dump, not as a file path!\n", "name": "config-file-content", "type": "string" }, { "description": "Configures project packages that will have their dependencies prefetched.", "name": "input", "type": "string" }, { "default": "debug", "description": "Set the logging level (debug, info, warn, error, fatal).", "name": "log-level", "type": "string" }, { "default": "strict", "description": "Control how input requirement violations are handled: strict (errors) or permissive (warnings).", "name": "mode", "type": "string" }, { "default": "", "description": "Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.", "name": "ociArtifactExpiresAfter", "type": "string" }, { "description": "The OCI repository where the Trusted Artifacts are stored.", "name": "ociStorage", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx.", "name": "sbom-type", "type": "string" } ], "results": [ { "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "computeResources": {}, "env": [ { "name": "INPUT" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3" } ], "image": "registry.access.redhat.com/ubi9/ubi-minimal:9.7-1773939694@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183", "name": "skip-ta", "script": "#!/bin/bash\n\nif [ -z \"${INPUT}\" ]; then\n mkdir -p /var/workdir/source\n mkdir -p /var/workdir/cachi2\n echo \"true\" \u003e/var/workdir/source/.skip-trusted-artifacts\n echo \"true\" \u003e/var/workdir/cachi2/.skip-trusted-artifacts\n echo -n \"${SOURCE_ARTIFACT}\" \u003e\"/tekton/results/SOURCE_ARTIFACT\"\n echo -n \"\" \u003e\"/tekton/results/CACHI2_ARTIFACT\"\nfi\n" }, { "args": [ "use", "oci:quay.io/rhtap_qe/default-tenant/tsf-demo-comp@sha256:cc79ae5b0ff759c70a92b1f02c5ec758d6af839c64f44febd78678c4a8b940b3=/var/workdir/source" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "use-trusted-artifact" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "debug" }, { "name": "KBC_PD_INPUT" }, { "name": "KBC_PD_SOURCE_DIR", "value": "/var/workdir/source" }, { "name": "KBC_PD_OUTPUT_DIR", "value": "/var/workdir/cachi2/output" }, { "name": "KBC_PD_SBOM_FORMAT", "value": "spdx" }, { "name": "KBC_PD_MODE", "value": "strict" }, { "name": "KBC_PD_OUTPUT_DIR_MOUNT_POINT", "value": "/cachi2/output" }, { "name": "KBC_PD_ENV_FILE", "value": "/var/workdir/cachi2/cachi2.env" }, { "name": "KBC_PD_GIT_AUTH_DIRECTORY", "value": "/workspace/git-basic-auth" }, { "name": "WORKSPACE_NETRC_PATH" }, { "name": "CONFIG_FILE_CONTENT" } ], "image": "quay.io/konflux-ci/hermeto:0.48.0@sha256:105b953463a203b82223cc54fb466ee0395ae9cca67bcdbbcbec4c340d511f26", "name": "prefetch-dependencies", "script": "#!/bin/bash\n\nif [ -n \"${WORKSPACE_NETRC_PATH}\" ]; then\n export NETRC=\"${WORKSPACE_NETRC_PATH}/.netrc\"\nfi\n\nCA_BUNDLE_PATH=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$CA_BUNDLE_PATH\" ]; then\n cp -vf \"$CA_BUNDLE_PATH\" /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nif [ -e /activation-key/org ] \u0026\u0026 [ -e /activation-key/activationkey ]; then\n export KBC_PD_RHSM_ORG=/activation-key/org\n export KBC_PD_RHSM_ACTIVATION_KEY=/activation-key/activationkey\nfi\n\nif [ -n \"${CONFIG_FILE_CONTENT}\" ]; then\n echo \"${CONFIG_FILE_CONTENT}\" \u003e/mnt/config/config.yaml\n export KBC_PD_CONFIG_FILE=/mnt/config/config.yaml\nfi\n\nkonflux-build-cli prefetch-dependencies\n", "volumeMounts": [ { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/mnt/config", "name": "config" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "args": [ "create", "--store", "quay.io/rhtap_qe/default-tenant/tsf-demo-comp:10d106f3035e91d75173eb6f3b65a77356caa60c.prefetch", "/tekton/results/SOURCE_ARTIFACT=/var/workdir/source", "/tekton/results/CACHI2_ARTIFACT=/var/workdir/cachi2" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_EXPIRES_AFTER" } ], "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:6ee5ae7d29b718eb3c69e55f1ec3a3264bc1a03ba398b2e1f34c7a20af1720d1", "name": "create-trusted-artifact" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "emptyDir": {}, "name": "config" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ], "workspaces": [ { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before prefetch is run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto bind a Secret to this Workspace over other volume types.\n", "name": "git-basic-auth", "optional": true }, { "description": "Workspace containing a .netrc file. Prefetch will use the credentials in this file when\nperforming http(s) requests.\n", "name": "netrc", "optional": true } ] } } } ], "kind": "List", "metadata": { "resourceVersion": "" } }