Skip to content

feat(ISV-7320): sign-index-image task uses direct container signing#1

Draft
JakubDurkac wants to merge 24 commits into
direct-sign-index-imagefrom
ISV-7320
Draft

feat(ISV-7320): sign-index-image task uses direct container signing#1
JakubDurkac wants to merge 24 commits into
direct-sign-index-imagefrom
ISV-7320

Conversation

@JakubDurkac

@JakubDurkac JakubDurkac commented Jun 12, 2026

Copy link
Copy Markdown
Owner

NOTE:
This PR adds new direct-sign-index-image tekton task that is meant to match a new python utility direct_sign_index_image.py developed in release-service-utils repo (konflux-ci/release-service-utils#823).

CHANGES FROM THE OLDER VERSION OF THE TASK (sign-index-image):
Replaces inline bash signing logic with a call to prepare_index_image_signing (Python, from release-service-utils). Switches the default pipeline from simple-signing-pipeline to container-signing, passing signing_requests and pipeline_image instead of per-item references/digests/repositories and UMB params.

Requests to the new direct signing pipeline as well as all other logic was moved into the new python util direct_sign_index_image.py. This task is only responsible to call it with the right parameters.

Assisted-by: Claude Opus 4.6

Relevant Jira

ISV-7320

Checklist before requesting a review

  • I have marked as draft or added do not merge label if there's a dependency PR
    • If you want reviews on your draft PR, you can add reviewers or add the release-service-maintainers handle if you are unsure who to tag
  • My commit message includes Signed-off-by: My name <email>
  • I read CONTRIBUTING.MD and commit formatting
  • I have run the README.md generator script in .github/scripts/readme_generator.sh and verified the results using .github/scripts/check_readme.sh
  • If an AI agent was used, I marked that via a commit footer like Assisted-By: Cursor

red-hat-konflux Bot and others added 24 commits June 23, 2026 13:26
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
From release-service-utils update to to always clean up the
checksum host. PR 820
Use a finally block to ensure the checksum host is always cleaned
up rather than only on the successful path.

Assisted-by: Cursor AI
Signed-off-by: Scott Wickersham <swickers@redhat.com>
Replace the inline bash script with a call to the Python script in
the release-service-utils image.

Assisted-by: Claude Code
Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
Replace the inline bash script in the make-repo-public task step with a
call to the Python make_repo_public module from release-service-utils.
The task step now sets environment variables and invokes the script via
command instead of embedding the logic in a script block.

Add TLS and POST method support to the mock_http_json test framework so
tasks that call HTTPS endpoints with non-GET methods can use the
lightweight mocks.yaml approach instead of deploying full Kubernetes
services.

Assisted-by: Cursor
Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
this PR adds multi component optin scenario for fbc builds and
in addition fixes the sitation when pyxis url is not changed
to stage when pyxisServer parameter is "stage".

- adds pyxisUrl to check-fbc-opt-in pipeline and task
- keep default values only in the pipeline file
- add tests
- use stage pyxis url when pyxisServer is set to stage
- update README and remove comment from kustomization.yaml

Assisted-by: claude
Signed-off-by: Leandro Mendes <lmendes@redhat.com>
call utils script from filter-already-released-advisory-images task

Signed-off-by: Elena German <elgerman@redhat.com>
Assisted-by: Claude
Update update-infra-deployments task with new utils image
that contains the fix for the PR references in changelog
commit messages.

Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
Replace the inline bash script with a call to the Python script in
the release-service-utils image. Tekton test mocks are converted to
the declarative mocks.yaml pattern compatible with the Python
entrypoint, and scenario-specific tests that are now covered by
pytest in the utils repo are removed.

Assisted-by: Claude Code
Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
This reverts commit 9a589d4.
Due to a bug in the Python script, reused IIB builds cause
missing iibLog result, failing PipelineRuns with
CouldntGetPipelineResult.

Signed-off-by: Filip Nikolovski <fnikolov@redhat.com>
The jira_ci.py script no longer works after the Jira
migration. Replace it with a call to a Jira Automation
webhook that handles ticket updates (label swaps,
comments, transitions) via an automation rule.

The parsed tickets payload format has changed to group
PRs by ticket, as Jira Automation's smart values cannot
correlate individual entries back to the current issue
being processed.

Requires JIRA_AUTOMATION_WEBHOOK_URL and
JIRA_AUTOMATION_WEBHOOK_TOKEN repository secrets.

Assisted-by: Cursor
Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
Remove unreleased_rpms and in_advisory_rpms results from the internal
task to fix Tekton's 4096-byte termination message limit being exceeded
when the RPM list is large. The same data is already passed via the OCI
artifact (filter_results_artifact) which the managed task consumes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Scott Hebert <scoheb@gmail.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
…83d9c2d

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
This commit replaces the inline task script for publish-pyxis-repository
with a standalone python script contained in the utils image. The tekton
unit tests are updated accordingly. We only keep one happy path test as
the other scenarios are covered by pytest in the utils repo.

Assisted-By: Cursor

Signed-off-by: Johnny Bieren <jbieren@redhat.com>
This commit replaces the inline task script for the
get-advisory-severity internal task with a standalone python script
contained in the utils image. The tekton unit tests are updated
accordingly. We only keep one happy path test as the other scenarios are
covered by pytest in the utils repo.

Assisted-By: Cursor

Signed-off-by: Johnny Bieren <jbieren@redhat.com>
Replace the inline bash script with a call to the python
check_labels.py script from release-service-utils. Remove
all bash-era test files superseded by python unit tests.

Assisted-by: Cursor
Signed-off-by: Lubomir Gallovic <lgallovi@redhat.com>
Binary components that push only to the customer portal must nest their
files under staged.files to drive Pulp destination routing. The binary
code path in populate-release-notes only looked at .files directly on
the component, so FILES_LENGTH evaluated to 0 and releaseNotes.content
was never written, causing check-data-keys to fail schema validation.

The binary path in create-advisory had the same gap when resolving
filenames for PURL construction.

Both tasks now fall back to staged.files when .files is absent. Existing
behaviour for components with a top-level .files array is unchanged.

Assisted-by: Cursor AI
Signed-off-by: Scott Wickersham <swickers@redhat.com>
Replace the 8 embedded bash steps in push-artifacts-to-cdn-task
with calls to a single standalone Python script from
release-service-utils.

Assisted-by: Cursor AI
Signed-off-by: Scott Wickersham <swickers@redhat.com>
Update the conforma tekton-catalog revision for the
verify-conforma-konflux-ta task across all managed pipelines.

This change contains a patch to help teams switch to the
new trusted_task_rules schema.

Signed-off-by: jstuart@redhat.com
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Jindrich Luza <jluza@redhat.com>
New Tekton task for signing FBC index images via the container-signing
pipeline. The task has similar functionality to old sign-index-image
task, but it uses direct container signing instead of Radas/UMB
solution. Also, it outsources all the existing core logic from
bash to a new python util it invokes - direct_sign_index_image.py,
passing all parameters as CLI arguments.

- Passes signing params (pyxis-server, pipeline, pipeline-image,
  requester, batch-max-size, etc.) as CLI arguments to Python
- Pyxis secret mounted at /etc/secrets, paths set via env vars
- Includes Tekton integration test using Python mock pattern
- Generated README from task YAML

Assisted-by: Claude Opus 4.6
Signed-off-by: Jakub Durkac <jdurkac@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

10 participants