Release pipeline for Lightwell Java artifacts (slan-cuan).
This pipeline orchestrates the complete release workflow for Java artifacts built by PNC (Project Newcastle):
- Extract -- Pull artifacts from PNC container image
- Sign -- Cryptographically sign artifacts using RADAS
- Register -- Upload SBOMs to Trustify for CVE tracking
- Publish -- Push signed artifacts to Pulp for distribution
The pipeline executes tasks in strict sequential order:
extract → sign → register → publish
Each task waits for its predecessor via runAfter dependencies. Data flows through
a shared workspace that persists the artifact directory across all stages.
The pipeline requires a single shared workspace (shared-workspace) for artifact passing
between tasks. All tasks mount this workspace at /var/workdir.
Workspace binding options:
- PersistentVolumeClaim -- For traditional Konflux pipelines
- Trusted Artifacts -- Wrap tasks with use-trusted-artifact/create-trusted-artifact
- emptyDir -- For ephemeral single-node execution (testing only)
The pipeline propagates key results from individual tasks for downstream consumption and Enterprise Contract policy evaluation:
manifest-digest-- OCI manifest digest of the extracted PNC imagedeliverable-dir-- Name of the deliverable directorysbom-urn-- URN of the SBOM registered in Trustifyartifacts-uploaded-- Number of artifacts uploaded to Pulpartifacts-skipped-- Number of artifacts skipped during uploadpublished-artifact-outputs-- JSON object for Tekton Chains SLSA provenance
The published-artifact-outputs result contains uri and digest keys. The
-ARTIFACT_OUTPUTS suffix triggers Tekton Chains to generate SLSA provenance
attestations for the published artifacts.
Create these Kubernetes Secrets before running the pipeline:
registry-auth(.dockerconfigjson) -- Docker/Podman registry authenticationradas-config(Opaque) -- RADAS configuration JSON inconfig.jsonkeytrustify-sso(Opaque) -- OIDC credentials (client-id,client-secretkeys)- Custom CA certs (Opaque, optional) --
ca.crtkey for register/publish tasks
Secret names are configurable via pipeline parameters.
| Name | Description | Optional | Default value |
|---|---|---|---|
| taskGitUrl | The url to the git repo where the release-service-catalog tasks to be used are stored | Yes | https://github.com/konflux-ci/release-service-catalog.git |
| taskGitRevision | The revision in the taskGitUrl repo to be used | No | - |
| pnc-image | PNC container image reference to extract artifacts from. This is the image produced by Project Newcastle containing the deliverable artifacts and SBOM. Example: quay.io/pnc-builds/foo@sha256:xyz | No | - |
| registry-auth-secret | Kubernetes Secret name for registry authentication (.dockerconfigjson format). Points to a Docker/Podman auth config for accessing private registries | Yes | registry-auth |
| force-extract | Overwrite existing output directory if it exists. Without this flag, the extract task refuses to overwrite existing directories | Yes | false |
| signing-key | Signing key name for RADAS. Identifies which signing key to use for cryptographic signatures | No | - |
| radas-config-secret | Kubernetes Secret name containing RADAS configuration JSON. The secret must have a config.json key with RADAS API URL and credentials |
Yes | radas-config |
| requester-id | Requester identity for signing operations. Used for audit trails and RADAS access control. Typically an email address | Yes | slan-cuan@example.com |
| zip-root-path | Root of the Maven repository tree inside the ZIP archive submitted to RADAS. The ZIP file structure is <ZIP_ROOT_PATH>/ | Yes | repository |
| product-key | Product key for metadata tagging. Identifies the product in RADAS records and signing logs | Yes | slan-cuan |
| ignore-patterns | Comma-separated regex patterns to exclude files from signing. Example: ".-sources\.jar$,.-javadoc\.jar$" excludes source and javadoc JARs | Yes | "" |
| trustify-api-url | Trustify instance API URL. The base URL for the Trustify (TPA) SBOM ingestion API. Example: https://trustify.stage.example.com | No | - |
| sso-token-url | OIDC token endpoint URL. The OAuth2/OIDC token endpoint for Trustify authentication. Example: https://sso.example.com/auth/realms/token | ||
| sso-secret-name | Kubernetes Secret name with OIDC credentials. The secret must have client-id and client-secret keys for OAuth2 client credentials flow |
Yes | trustify-sso |
| register-insecure | Disable TLS verification for Trustify API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
| register-retries | Number of retry attempts for Trustify API calls. The task will retry failed API calls this many times before giving up | Yes | 3 |
| register-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a ca.crt key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle |
Yes | "" |
| pulp-url | Pulp instance base URL. The base URL for the Pulp content management system. Example: https://pulp.example.com | No | - |
| pulp-repository | Pulp Maven distribution name. The name of the target Pulp repository for artifact publishing. Example: lightwell-maven | No | - |
| publish-insecure | Disable TLS verification for Pulp API calls. Set to "true" to skip certificate validation (not recommended for production) | Yes | false |
| publish-ca-cert-secret | Kubernetes Secret name for custom CA certificate (optional). The secret must have a ca.crt key containing the PEM-encoded CA certificate. Leave empty to use system CA bundle |
Yes | "" |