fix(konflux): apply build pipeline service account migration

[JoySnow]

to apply #130

Summary by Sourcery

Deployment:

• Configure the pull-request and push Tekton pipelines to use the build-pipeline-module-update-router service account via taskRunTemplate.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Configures Tekton pull-request and push pipelines to run under a specific Konflux build pipeline service account instead of the default taskRun template.

Sequence diagram for Tekton pipeline run using Konflux build service account

sequenceDiagram
    actor Developer
    participant GitHub
    participant Tekton_Controller
    participant PipelineRun_PR
    participant ServiceAccount_build_pipeline_module_update_router
    participant Build_Tasks

    Developer->>GitHub: Open_pull_request_or_push_commit
    GitHub-->>Tekton_Controller: Webhook_event
    Tekton_Controller->>PipelineRun_PR: Create_PipelineRun(docker-build-oci-ta)
    PipelineRun_PR->>ServiceAccount_build_pipeline_module_update_router: Bind_taskRunTemplate_serviceAccountName
    PipelineRun_PR->>Build_Tasks: Start_tasks_with_bound_ServiceAccount
    Build_Tasks-->>ServiceAccount_build_pipeline_module_update_router: Use_permissions_to_access_resources
    Build_Tasks-->>Tekton_Controller: Report_task_status
    Tekton_Controller-->>GitHub: Update_PR_or_commit_status

Loading

File-Level Changes

Change	Details	Files
Assign a dedicated build service account to Tekton TaskRun templates for both PR and push Konflux pipelines.	Replace the empty taskRunTemplate configuration with an explicit template block Set serviceAccountName to build-pipeline-module-update-router so pipeline tasks execute under the new service account Apply the same configuration to both module-update-router pull-request and push pipeline definitions	.tekton/module-update-router-pull-request.yaml .tekton/module-update-router-push.yaml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 1 issue

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `.tekton/module-update-router-push.yaml:33-34` </location>
<code_context>
   pipelineRef:
     name: docker-build-oci-ta
-  taskRunTemplate: {}
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-module-update-router
   workspaces:
   - name: git-auth
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Validate that the chosen service account has the minimal required permissions for both push and PR pipelines

Reusing `build-pipeline-module-update-router` for both push and PR runs might give PR executions more permissions than they need. If PRs can be triggered from forks or otherwise untrusted sources, consider a dedicated, least-privilege service account for PR builds to keep RBAC tightly scoped.

Suggested implementation:

```
  pipelineRef:
    name: docker-build-oci-ta
  taskRunTemplate:
    # Dedicated service account for push builds; PR builds SHOULD use a separate,
    # least-privilege SA (e.g. `build-pipeline-module-update-router-pr`)
    serviceAccountName: build-pipeline-module-update-router-push
  workspaces:

```

1. In the corresponding PR pipeline file (likely `.tekton/module-update-router-pr.yaml` or similar), set `taskRunTemplate.serviceAccountName` to a distinct service account, e.g. `build-pipeline-module-update-router-pr`.
2. Define the `build-pipeline-module-update-router-push` and `build-pipeline-module-update-router-pr` ServiceAccounts in your manifests (if not already present).
3. Adjust RBAC so that:
   - `build-pipeline-module-update-router-push` has the full permissions required for push builds.
   - `build-pipeline-module-update-router-pr` is restricted to the minimal read/build permissions needed for PR validation, avoiding write/production-impacting permissions where possible.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}