This is the Release Service Catalog - a collection of Tekton resources (Tasks, Pipelines, StepActions) for the Konflux CI Release Service. The repository facilitates and streamlines software release processes using Kubernetes-native CI/CD with Tekton.
tasks/managed/- Production release tasks (signing, publishing, advisory management)tasks/collectors/- Data collection tasks;tasks/internal/- Internal workflow taskspipelines/managed/- Release pipelines;pipelines/run-collectors/- Collection pipelinesstepactions/- Reusable step actions;hub/- Tekton Hub resourcesintegration-tests/- Test configs with encrypted Ansible Vault files
- Main branch:
development(not main) - Commits: Conventional commits enforced by gitlint, scope is a Jira ticket ID:
feat(JIRA-1234): message,fix(JIRA-1234): message - YAML style: 120-char max, consistent indentation,
---document start, max 1 empty line - Tekton tasks: Trusted Artifacts tasks with non-
release-service-utilsimages MUST setstepTemplate.securityContext.runAsUser: 1001; all tasks SHOULD specify compute resource requirements - Vault files (
.*vault.*\.(yaml|yml)$): MUST be encrypted withansible-vaultbefore commit - READMEs under
tasks/andpipelines/: auto-generated, do not edit by hand
yamllint . # YAML style (120ch, --- start)
gitlint --commits origin/development..HEAD # Conventional commit format
check-jsonschema --check-metaschema schema/dataKeys.json # Schema validation
pre-commit run --all-files # All hooks including vault encryption checkansible-vault encrypt integration-tests/*/vault/secrets.yaml # Encrypt before commit (MANDATORY)
scripts/check-vault-encrypted.sh path/to/vault/file.yaml # Verify encryptionNever commit unencrypted vault files. Pre-commit hooks enforce this automatically.
./scripts/run-local-tests.sh # Auto-detect changes
./scripts/run-local-tests.sh --pr-mode # CI-identical change detection
./scripts/run-local-tests.sh --parallel 2 tasks/managed/ # Parallel execution
./scripts/run-local-tests.sh tasks/managed/<task-name> # Specific task
.github/scripts/tkn_check_compute_resources.sh # Resource validation
.github/scripts/tkn_check_task_runasuser.sh # Security complianceTest locally first. Use --pr-mode for pre-merge validation. Check test-results/summary.txt after runs.
- Shell options:
set -eo pipefailminimum in Tekton task scripts;set -euo pipefailfor standalone scripts. Integration testtest.shfiles are sourced (not standalone) and inherit the caller's shell options - Variables: always quote —
"${VAR}","$(command)"; use${VAR}not$VAR - JSON: build with
jq --arg/--argjsonorjq -n, never string concatenation orecho - jq flags:
-rfor raw output,-cfor compact,-eto exit non-zero on false/null - Tekton results:
echo -n "value" > "$(results.name.path)"— always-nto avoid trailing newlines - curl: use
--retry 3,-sfor silent,--fail-with-bodyfor error handling; pipe tojq -rfor parsing - Error handling: trap EXIT to write success/failure to results; always
exit 0(let Tekton results carry status) - Secrets:
set +xbefore using sensitive values, re-enable after; read from mounted files, not env vars - Cleanup:
mktemp+trap 'rm -f "${TEMP_FILE}"' EXIT; usepushd/popdfor directory changes
README.md under tasks/ and pipelines/ are generated from the Tekton YAML. Do not edit them by hand.
Update spec.description and spec.params in the YAML, then run ./.github/scripts/readme_generator.sh <directory>
Run the full validation sequence:
yamllint .
gitlint --commits origin/development..HEAD
pre-commit run --all-files
check-jsonschema --check-metaschema schema/dataKeys.json