|
| 1 | +--- |
| 2 | +name: konflux-tekton-updates |
| 3 | +description: >- |
| 4 | + Bumps Konflux Tekton task digests with .tekton/updateDigests.sh --minor --no-push, |
| 5 | + applies konflux-ci/build-definitions MIGRATION.md pipeline fixes, and regenerates |
| 6 | + PipelineRuns. Use for rhdh-plugin-catalog, RHDH midstream (4-rhdh), Konflux task |
| 7 | + minor bumps, prefetch-dependencies-oci-ta, build-image-index, or updateDigests.sh. |
| 8 | +--- |
| 9 | + |
| 10 | +# Konflux Tekton updates |
| 11 | + |
| 12 | +## Goal |
| 13 | + |
| 14 | +After a **minor** Konflux task tag bump, update `.tekton` pipelines and generators so builds keep working. Apply what each `MIGRATION.md` says; do **not** add drift tests that block future Konflux updates. |
| 15 | + |
| 16 | +## Prerequisites |
| 17 | + |
| 18 | +`skopeo`, `jq` (>= 1.7), `yq`. Optional: `gh` for PR creation from scripts. |
| 19 | + |
| 20 | +## Commit locally; never push without human review |
| 21 | + |
| 22 | +| Script | Flag | Effect | |
| 23 | +|--------|------|--------| |
| 24 | +| `updateDigests.sh` | `--no-push` / `--nopush` (`-p`) | Commit locally; no push/PR | |
| 25 | +| `updateDigests.sh` | `--minor` | Disables push; use with `--no-push` for clarity | |
| 26 | +| `updateDigests.sh` | `--no-commit` / `-n` | Preview only | |
| 27 | +| `generatePipelineRunsForPlugins.sh` | `--nopush` | Commit locally; no push | |
| 28 | +| `generatePipelineRunsForPlugins.sh` | `--nocommit` | Write YAML only | |
| 29 | + |
| 30 | +`generatePipelineRuns.sh` does not commit or push. |
| 31 | + |
| 32 | +**Do not** run digest/generator scripts without `--no-push` / `--nopush` unless the user explicitly requests a push. |
| 33 | + |
| 34 | +## Detect repo layout |
| 35 | + |
| 36 | +| Marker in repo | Read | |
| 37 | +|----------------|------| |
| 38 | +| `.tekton/generatePipelineRunsForPlugins.sh` | [references/plugin-catalog.md](references/plugin-catalog.md) | |
| 39 | +| `.tekton-templates/rhdh-pipeline.yaml` | [references/rhdh-midstream.md](references/rhdh-midstream.md) | |
| 40 | + |
| 41 | +If both exist, apply changes for the repo you are working in. |
| 42 | + |
| 43 | +## Workflow |
| 44 | + |
| 45 | +### 1. Bump digests |
| 46 | + |
| 47 | +```bash |
| 48 | +cd .tekton |
| 49 | +./updateDigests.sh --minor --no-push |
| 50 | +``` |
| 51 | + |
| 52 | +- Updates `tag@sha256` in `*.yaml` (and `.tekton-templates/*.yaml` in RHDH midstream). |
| 53 | +- Tag changes list `MIGRATION.md` URLs under `konflux-ci/build-definitions`. |
| 54 | +- Digest-only: `./updateDigests.sh --no-push -q` |
| 55 | + |
| 56 | +Review `git diff` for `quay.io/konflux-ci/tekton-catalog/task-*` changes. |
| 57 | + |
| 58 | +### 2. Apply migrations |
| 59 | + |
| 60 | +For each URL from `updateDigests.sh` (or from the diff): |
| 61 | + |
| 62 | +1. Read `MIGRATION.md`. |
| 63 | +2. Apply **only** documented user actions. |
| 64 | +3. Skip “no action required” sections. |
| 65 | + |
| 66 | +### 3. Regenerate (optional) |
| 67 | + |
| 68 | +After fixing shared pipelines/templates and generator scripts: |
| 69 | + |
| 70 | +- **plugin-catalog:** `./generatePipelineRunsForPlugins.sh -v <x.y.z> --nopush` |
| 71 | +- **RHDH midstream:** `./generatePipelineRuns.sh -t <x.y>` |
| 72 | + |
| 73 | +### 4. Human review and push |
| 74 | + |
| 75 | +Human reviews the full diff, then `git push` or opens a PR. |
| 76 | + |
| 77 | +## Known migration patterns |
| 78 | + |
| 79 | +Use live `MIGRATION.md` as source of truth. Common cases: |
| 80 | + |
| 81 | +| Task | Action | |
| 82 | +|------|--------| |
| 83 | +| `prefetch-dependencies-oci-ta` 0.2→0.3 | Remove `dev-package-managers`; add pipeline param `enable-package-registry-proxy` (default `"true"`) and pass to prefetch task | |
| 84 | +| `build-image-index` 0.2→0.3 | Remove `COMMIT_SHA` / `IMAGE_EXPIRES_AFTER` from **build-image-index** task only; keep `image-expires-after` on buildah/prefetch | |
| 85 | +| `init` 0.3→0.4 | No pipeline changes | |
| 86 | +| `init` 0.4.1→0.4.2 | Remove broken auto-added `sast-target-dirs` pipeline param if present | |
| 87 | + |
| 88 | +## Anti-patterns |
| 89 | + |
| 90 | +- Pushing without `--no-push` / `--nopush` and human sign-off. |
| 91 | +- Leaving removed task params (`dev-package-managers`, `COMMIT_SHA` on `build-image-index`). |
| 92 | +- Adding `verify_*` guards that fail on the next Konflux bump. |
| 93 | +- Dropping `image-expires-after` from PLRs only because `build-image-index` no longer uses it. |
| 94 | +- Hardcoding `1-` in `generatePipelineRunsForPlugins.sh` Containerfile comments; use `${RHDH_XY_VERSION}` so `1.10.0` becomes `1-10`, not `1`. |
0 commit comments