| name | konflux-tekton-updates |
|---|---|
| description | Bumps Konflux Tekton task digests with .tekton/updateDigests.sh --minor --no-push, applies konflux-ci/build-definitions MIGRATION.md pipeline fixes, and regenerates PipelineRuns. Use for rhdh-plugin-catalog, RHDH midstream (4-rhdh), Konflux task minor bumps, prefetch-dependencies-oci-ta, build-image-index, or updateDigests.sh. |
After a minor Konflux task tag bump, update .tekton pipelines and generators so builds keep working. Apply what each MIGRATION.md says; do not add drift tests that block future Konflux updates.
skopeo, jq (>= 1.7), yq. Optional: gh for PR creation from scripts.
| Script | Flag | Effect |
|---|---|---|
updateDigests.sh |
--no-push / --nopush (-p) |
Commit locally; no push/PR |
updateDigests.sh |
--minor |
Disables push; use with --no-push for clarity |
updateDigests.sh |
--no-commit / -n |
Preview only |
generatePipelineRunsForPlugins.sh |
--nopush |
Commit locally; no push |
generatePipelineRunsForPlugins.sh |
--nocommit |
Write YAML only |
generatePipelineRuns.sh does not commit or push.
Do not run digest/generator scripts without --no-push / --nopush unless the user explicitly requests a push.
| Marker in repo | Read |
|---|---|
.tekton/generatePipelineRunsForPlugins.sh |
references/plugin-catalog.md |
.tekton-templates/rhdh-pipeline.yaml |
references/rhdh-midstream.md — variant A (unified) |
.tekton-templates/rhdh-hub.yaml (no rhdh-pipeline.yaml) |
references/rhdh-midstream.md — variant B (1.9 shared build-pipeline) |
If both plugin-catalog and midstream markers exist, apply changes only for the repo/branch you are on.
cd .tekton
./updateDigests.sh --minor --no-push- Updates
tag@sha256in.tekton/*.yamland.tekton-templates/*.yaml(viaTEMPLATEPATH). - On variant B, also updates
.tekton/build-pipeline-rhdh-*.yaml. - Tag changes list
MIGRATION.mdURLs underkonflux-ci/build-definitions. - Digest-only (no tag bump):
./updateDigests.sh --no-push -q
Review git diff for quay.io/konflux-ci/tekton-catalog/task-* changes.
For each URL from updateDigests.sh (or from the diff):
- Read
MIGRATION.md. - Apply only documented user actions in templates and shared pipelines (see references/rhdh-midstream.md for per-variant file list).
- Skip “no action required” sections.
If PLRs still contain removed params (e.g. dev-package-managers) but templates are fixed, migrations are incomplete until step 3.
Always run after template or shared-pipeline migration edits (not optional when params changed):
cd .tekton
./generatePipelineRuns.sh -t <version>| Branch example | -t value |
PLR suffix |
|---|---|---|
rhdh-1-rhel-9 |
1 |
rhdh-hub-1-push.yaml |
rhdh-1.9-rhel-9 |
1.9 |
rhdh-hub-1-9-push.yaml |
rhdh-1.10-rhel-9 |
1.10 |
rhdh-hub-1-10-push.yaml |
- Variant A: also patch
rhdh-rag-content-<N>-{push,pull}.yamlby hand (inlinepipelineSpec, not generated). - Variant B: hub/operator PLRs regenerate from
rhdh-hub.yaml/rhdh-operator.yaml;build-pipeline-*.yamlis edited directly, not by the generator.
Commit migration + regen locally when ready; do not push until human review.
Human reviews the full diff (digest commit plus any migration/regen commits), then git push or opens a PR.
Use live MIGRATION.md as source of truth. Common cases:
| Task | Action |
|---|---|
prefetch-dependencies-oci-ta 0.2→0.3 |
Remove dev-package-managers; add pipeline param enable-package-registry-proxy (default "true") and pass to prefetch task. Variant B: also add param on build-pipeline-rhdh-{hub,operator}.yaml tasks prefetch-dependencies-hub / prefetch-dependencies-operator, and on PLR spec.params in rhdh-hub.yaml / rhdh-operator.yaml. |
build-image-index 0.2→0.3 |
Remove COMMIT_SHA / IMAGE_EXPIRES_AFTER from build-image-index task only; keep on buildah (build-container) and prefetch |
init 0.3→0.4 |
No pipeline changes |
init 0.4.1→0.4.2 |
Remove broken auto-added sast-target-dirs pipeline param if present |
- Pushing without
--no-push/--nopushand human sign-off. - Leaving removed task params (
dev-package-managers,COMMIT_SHAonbuild-image-index). - Skipping
generatePipelineRuns.shafter fixing templates while PLRs still reference old params. - Editing only PLRs when templates or
build-pipeline-*.yamlare the source of truth. - Adding
verify_*guards that fail on the next Konflux bump. - Dropping
image-expires-afterfrom PLRs only becausebuild-image-indexno longer uses it. - Hardcoding
1-ingeneratePipelineRunsForPlugins.shContainerfile comments; use${RHDH_XY_VERSION}so1.10.0becomes1-10, not1.